-
Notifications
You must be signed in to change notification settings - Fork 0
167 lines (147 loc) · 6.09 KB
/
test-trivy.yml
File metadata and controls
167 lines (147 loc) · 6.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Test Trivy Scanning
on:
push:
branches: [main]
pull_request:
workflow_dispatch: # Manual trigger for testing
jobs:
hadolint:
name: Dockerfile Lint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Hadolint
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
format: sarif
output-file: hadolint.sarif
no-fail: true
- name: Add Hadolint results to Job Summary
run: |
echo "## 🐳 Hadolint Dockerfile Analysis" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Parse SARIF and extract readable results
ISSUES=$(jq -r '.runs[0].results[] | "- **\(.ruleId)** (line \(.locations[0].physicalLocation.region.startLine)): \(.message.text)"' hadolint.sarif 2>/dev/null)
if [ -n "$ISSUES" ]; then
echo "### Issues Found" >> $GITHUB_STEP_SUMMARY
echo "$ISSUES" >> $GITHUB_STEP_SUMMARY
else
echo "✅ **No issues found** - Dockerfile follows best practices" >> $GITHUB_STEP_SUMMARY
fi
- name: Upload Hadolint SARIF to Security tab
uses: github/codeql-action/upload-sarif@v4
if: github.event.repository.visibility == 'public'
with:
sarif_file: hadolint.sarif
category: hadolint
build-and-scan:
name: Build & Trivy Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker image locally
run: docker build -t trivy-test:${{ github.sha }} .
- name: Run Trivy (table output for summary)
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'trivy-test:${{ github.sha }}'
format: 'table'
output: 'trivy-table.txt'
exit-code: '0' # Non-blocking for visibility
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
trivyignores: ${{ hashFiles('.trivyignore') != '' && '.trivyignore' || '' }}
- name: Add Trivy results to Job Summary
run: |
echo "## 🐳 Container Image Vulnerabilities" >> $GITHUB_STEP_SUMMARY
echo "Image: \`trivy-test:${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
cat trivy-table.txt >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
# Filesystem scan - table output for Job Summary
# NOTE: Must run BEFORE any SARIF scans to avoid TRIVY_FORMAT env var pollution
- name: Run Trivy filesystem scan (table output)
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
output: 'trivy-fs-table.txt'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'library'
severity: 'CRITICAL,HIGH,MEDIUM'
trivyignores: ${{ hashFiles('.trivyignore') != '' && '.trivyignore' || '' }}
- name: Add Trivy filesystem results to Job Summary
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "## 📦 Source Dependency Vulnerabilities" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
cat trivy-fs-table.txt >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
# SARIF scans run last to prevent TRIVY_FORMAT env var from polluting table scans
# NOTE: Image SARIF paths (e.g., /app/package.json) don't map to repo files,
# so alerts won't appear in GitHub Security tab. Kept for demonstration only.
# For actual Security tab alerts, use the filesystem scan below.
- name: Run Trivy (SARIF output - Security tab)
uses: aquasecurity/trivy-action@0.28.0
if: github.event.repository.visibility == 'public'
with:
image-ref: 'trivy-test:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
trivyignores: ${{ hashFiles('.trivyignore') != '' && '.trivyignore' || '' }}
- name: Upload Trivy image SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: github.event.repository.visibility == 'public'
with:
sarif_file: 'trivy-results.sarif'
category: trivy-image
# Filesystem scan - SARIF for Security tab (paths map to repo files)
- name: Run Trivy filesystem scan (SARIF output)
uses: aquasecurity/trivy-action@0.28.0
if: github.event.repository.visibility == 'public'
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-fs-results.sarif'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'library'
severity: 'CRITICAL,HIGH,MEDIUM'
trivyignores: ${{ hashFiles('.trivyignore') != '' && '.trivyignore' || '' }}
- name: Upload Trivy filesystem SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: github.event.repository.visibility == 'public'
with:
sarif_file: 'trivy-fs-results.sarif'
category: trivy-fs
test-blocking-mode:
name: Test Blocking Mode (CRITICAL only)
runs-on: ubuntu-latest
continue-on-error: true # Allow job to "fail" for testing purposes
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker image locally
run: docker build -t trivy-test:${{ github.sha }} .
- name: Run Trivy (blocking mode - fails on CRITICAL)
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'trivy-test:${{ github.sha }}'
format: 'table'
exit-code: '1' # Fail workflow if CRITICAL vulnerabilities found
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL'
trivyignores: ${{ hashFiles('.trivyignore') != '' && '.trivyignore' || '' }}