daos/.github/workflows/trivy.yml at f6b827e3e882c0dc886868a9f7bb4f9816c06d7a · daos-stack/daos · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# SPDX-License-Identifier: BSD-2-Clause-Patent
# Copyright (c) 2024 Intel Corporation.

name: Trivy scan

on:
  workflow_dispatch:
  schedule:
    - cron: '0 0 * * *'
  push:
    branches: ["master", "release/**"]
  pull_request:
    branches: ["master", "release/**"]
    paths:
      - .github/workflows/trivy.yml
      - requirements-*.txt
      - src/client/java/**/pom.xml
      - src/control/go.mod
      - src/control/vendor/**
      - utils/build.config
      - utils/rpms/**
      - utils/scripts/install-*.sh
      - utils/trivy/**

# Declare default permissions as nothing.
permissions: {}

jobs:
  scan:
    name: Scan with Trivy
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

      - name: Run Trivy vulnerability scanner in filesystem mode (table format)
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # 0.36.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          trivy-config: 'utils/trivy/trivy.yaml'

      - name: Prepare the report to be uploaded to the GitHub artifact store
        run: |
          mkdir report
          cp trivy-report-daos.txt report
          cp utils/trivy/.trivyignore report/trivyignore.txt

      - name: Upload the report to the GitHub artifact store
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          path: report/*
          name: trivy-report-daos

      - name: Adjust config file to use sarif format
        run: |
          sed -i 's/output: "trivy-report-daos.txt"/output: "trivy-results.sarif"/g' \
            utils/trivy/trivy.yaml
          sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml

      - name: Run Trivy vulnerability scanner in filesystem mode (sarif format)
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # 0.36.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          trivy-config: 'utils/trivy/trivy.yaml'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba  # v4.35.5
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Adjust config file to show and validate scan results
        run: |
          sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml
          sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml
          sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml

      - name: Run Trivy vulnerability scanner in filesystem mode (human readable format)
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # 0.36.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          trivy-config: 'utils/trivy/trivy.yaml'