forked from agntcy/slim
-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (145 loc) · 5.48 KB
/
Copy pathcontainer-security-scan.yml
File metadata and controls
161 lines (145 loc) · 5.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# Copyright AGNTCY Contributors (https://github.com/agntcy)
# SPDX-License-Identifier: Apache-2.0
---
name: ci-container-security-scan
on:
# Nightly scan on main branch only; manual dispatch allowed.
schedule:
- cron: '0 3 * * *' # Daily at 03:00 UTC (runs on default branch context: main)
workflow_dispatch:
permissions:
contents: read
actions: read
jobs:
trivy-scan:
name: Trivy Image Scan (Pull from GHCR)
permissions:
contents: read
security-events: write # for uploading SARIF
issues: write # create issues for critical CVEs
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- image: slim-node
repo: ghcr.io/${{ github.repository_owner }}/slim
version: latest
- image: slim-controller
repo: ghcr.io/${{ github.repository_owner }}/slim/control-plane
version: latest
- image: spire-server
repo: ghcr.io/spiffe/spire-server
version: 1.14.5
- image: spire-agent
repo: ghcr.io/spiffe/spire-agent
version: 1.14.5
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Log in to GHCR
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Pull image (explicit version)
env:
IMAGE_REPO: ${{ matrix.repo }}
IMAGE_VERSION: ${{ matrix.version }}
run: |
set -euo pipefail
IMAGE_REF="${IMAGE_REPO}:${IMAGE_VERSION}"
echo "Pulling $IMAGE_REF"
docker pull "$IMAGE_REF"
docker image inspect "$IMAGE_REF" >/dev/null 2>&1
- name: Install Trivy
env:
TRIVY_VERSION: "0.71.1"
run: |
curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb" -o trivy.deb
sudo dpkg -i trivy.deb
rm trivy.deb
- name: Run Trivy vulnerability scan (image)
env:
IMAGE_REPO: ${{ matrix.repo }}
IMAGE_VERSION: ${{ matrix.version }}
IMAGE_NAME: ${{ matrix.image }}
run: |
trivy image \
--format sarif \
--output "trivy-${IMAGE_NAME}.sarif" \
--vuln-type os,library \
--severity CRITICAL,HIGH,MEDIUM \
--ignore-unfixed \
"${IMAGE_REPO}:${IMAGE_VERSION}"
- name: Export image metadata
env:
IMAGE_REPO: ${{ matrix.repo }}
IMAGE_VERSION: ${{ matrix.version }}
IMAGE_NAME: ${{ matrix.image }}
run: echo "${IMAGE_REPO}:${IMAGE_VERSION}" > "trivy-${IMAGE_NAME}.meta"
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: trivy-${{ matrix.image }}.sarif
# Distinguish reports per container image in Code Scanning UI
category: trivy-${{ matrix.image }}
- name: Upload report artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: trivy-report-${{ matrix.image }}
path: |
trivy-${{ matrix.image }}.sarif
trivy-${{ matrix.image }}.meta
retention-days: 7
summarize:
name: Summarize Results
permissions:
contents: read
issues: write # create issues for critical CVEs
needs: [trivy-scan]
runs-on: ubuntu-latest
if: always()
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Download artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: trivy-report-*
path: trivy-artifacts
- name: Debug artifact contents
run: |
echo "Downloaded artifact directory tree:" >> "$GITHUB_STEP_SUMMARY"
echo '```' >> "$GITHUB_STEP_SUMMARY"
find trivy-artifacts -maxdepth 3 -type f -print >> "$GITHUB_STEP_SUMMARY" || true
echo '```' >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
- name: Generate summary
run: |
chmod +x .github/workflows/scripts/security/generate_trivy_summary.sh
.github/workflows/scripts/security/generate_trivy_summary.sh
- name: Fail if critical vulns found (optional gate)
if: ${{ github.event_name != 'pull_request' }}
run: |
set -e
found=$(grep -R "CRITICAL" -c trivy-artifacts || true)
if [ "${found}" != "0" ]; then
echo "Critical vulnerabilities detected. (Gate currently informational.)" >&2
fi
- name: Create GitHub issues for critical CVEs
if: ${{ github.event_name != 'pull_request' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: |
set -euo pipefail
echo "Installing dependencies for issue creation script";
npm init -y >/dev/null 2>&1 || true
npm install @octokit/rest@21 glob >/dev/null 2>&1
node .github/workflows/scripts/security/create_critical_cve_issues.js