Trivy Scan #22

Workflow file for this run

.github/workflows/early-daily-trivy.yml at d41b999

	name: Trivy Scan

	on:
	# every morning at 7am (winter) or 8am (summer)
	schedule:
	- cron: "0 6 * * *"
	# Allow to run this workflow manually
	workflow_dispatch:

	env:
	CONTAINER_REGISTRY: ghcr.io
	CONTAINER_IMAGE_NAME: ${{ github.repository }}
	CONTAINER_IMAGE_VERSION: ${{ github.sha }} # sha of the last commit of the default branch

	jobs:
	reset-trivy-cache:
	runs-on: ubuntu-latest
	steps:
	- name: Remove all caches and database of the trivy scanner
	uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
	env:
	TRIVY_RESET: true
	with:
	scan-type: "image"
	- name: Download trivy vulnerabilities DB
	uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
	env:
	TRIVY_DOWNLOAD_DB_ONLY: true
	with:
	scan-type: "image"
	- name: Download trivy Java index DB
	uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
	env:
	TRIVY_DOWNLOAD_JAVA_DB_ONLY: true
	with:
	scan-type: "image"

	vulnerability-scan-frontend:
	runs-on: ubuntu-latest
	needs: reset-trivy-cache
	permissions:
	contents: read
	id-token: write # for cosign w/ keyless signing
	packages: write # for updating cosign attestation
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Run Trivy vulnerability file scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
	with:
	scan-type: "fs"
	scan-ref: "./frontend"
	skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy file scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	category: trivy-fs-scan
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}


	vulnerability-scan-backend:
	runs-on: ubuntu-latest
	needs: reset-trivy-cache
	permissions:
	contents: read
	id-token: write # for cosign w/ keyless signing
	packages: write # for updating cosign attestation
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Run Trivy vulnerability image scanner
	uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/backend:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy image scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	category: trivy-image-scan
	- name: Generate cosign vulnerability scan record
	uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
	env:
	TRIVY_USERNAME: ${{ github.actor }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/backend:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "cosign-vuln"
	output: "vuln-backend.json"
	- name: Install cosign
	uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
	- name: Log into container registry
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
	with:
	registry: ${{ env.CONTAINER_REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Attest vulnerability scan
	run: cosign attest --yes --replace --predicate vuln-backend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/backend:${{ env.CONTAINER_IMAGE_VERSION }}
	env:
	COSIGN_EXPERIMENTAL: "true"
	- name: Send status to Slack
	uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}


	vulnerability-scan-time-machine:
	runs-on: ubuntu-latest
	needs: reset-trivy-cache
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
	with:
	scan-type: "fs"
	scan-ref: "./time-machine"
	format: "sarif"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH" #ignored by sarif report
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy scan results to GitHub Security tab
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "trivy-results.sarif"
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}


	vulnerability-scan-vs-code-extension:
	runs-on: ubuntu-latest
	needs: reset-trivy-cache
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
	with:
	scan-type: "fs"
	scan-ref: "./vscode-extension"
	format: "sarif"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH" #ignored by sarif report
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy scan results to GitHub Security tab
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "trivy-results.sarif"
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@15dd05b628141b7bac0ad26e08c1935cb3ba6bc8 # v1.4.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy Scan #22

Workflow file

Trivy Scan #22

Jobs

Run details

Workflow file for this run