template-infra-azure/.github/workflows/vulnerability-scans.yml at main · navapbc/template-infra-azure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image
# to ensure images built are secure before they are deployed.

# NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image.
#       A future PR will pass the image between the scans to reduce overhead and increase speed
name: Vulnerability Scans

on:
  workflow_call:
    inputs:
      app_name:
        description: "name of application folder under infra directory"
        required: true
        type: string

jobs:
  hadolint-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: ./.github/actions/first-file
        id: hadolint-config
        with:
          files: |-
            ${{ inputs.app_name }}/.hadolint.yaml
            .hadolint.yaml

      # Scans Dockerfile for any bad practices or issues
      - name: Scan Dockerfile by hadolint
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: ${{ inputs.app_name }}/Dockerfile
          format: tty
          failure-threshold: warning
          output-file: hadolint-results.txt
          config: ${{ steps.hadolint-config.outputs.found_file }}

      - name: Save output to workflow summary
        if: always() # Runs even if there is a failure
        run: cat hadolint-results.txt >> "$GITHUB_STEP_SUMMARY"

  trivy-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: ./.github/actions/first-file
        id: trivy-ignore
        with:
          files: |-
            ${{ inputs.app_name }}/.trivyignore
            .trivyignore

      - uses: ./.github/actions/first-file
        id: trivy-secret
        with:
          files: ${{ inputs.app_name }}/trivy-secret.yaml trivy-secret.yaml

      - name: Build and tag Docker image for scanning
        id: build-image
        run: |
          make APP_NAME=${{ inputs.app_name }} release-build
          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
          IMAGE_TAG=$(make release-image-tag)
          echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"

      - name: Run Trivy vulnerability scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: image
          image-ref: ${{ steps.build-image.outputs.image }}
          format: table
          exit-code: 1
          ignore-unfixed: true
          vuln-type: os
          scanners: vuln,secret
          trivyignores: ${{ steps.trivy-ignore.outputs.found_file }}
        env:
          TRIVY_SECRET_CONFIG: ${{ steps.trivy-secret.outputs.found_file }}

      - name: Save output to workflow summary
        if: always() # Runs even if there is a failure
        run: |
          echo "View results in GitHub Action logs" >> "$GITHUB_STEP_SUMMARY"

  anchore-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: ./.github/actions/first-file
        id: grype-config
        with:
          files: |-
            ${{ inputs.app_name }}/.grype.yml
            .grype.yml

      - name: Build and tag Docker image for scanning
        id: build-image
        run: |
          make APP_NAME=${{ inputs.app_name }} release-build
          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
          IMAGE_TAG=$(make release-image-tag)
          echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"

      - name: Run Anchore vulnerability scan
        uses: anchore/scan-action@v3
        with:
          image: ${{ steps.build-image.outputs.image }}
          output-format: table
        env:
          GRYPE_CONFIG: ${{ steps.grype-config.outputs.found_file }}

      - name: Save output to workflow summary
        if: always() # Runs even if there is a failure
        run: echo "View results in GitHub Action logs" >> "$GITHUB_STEP_SUMMARY"

  dockle-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: ./.github/actions/first-file
        id: dockle-config
        with:
          files: |-
            ${{ inputs.app_name }}/.dockleconfig
            .dockleconfig

      - name: Build and tag Docker image for scanning
        id: build-image
        run: |
          make APP_NAME=${{ inputs.app_name }} release-build
          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
          IMAGE_TAG=$(make release-image-tag)
          echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"

      # Dockle doesn't allow you to have an ignore file for the DOCKLE_ACCEPT_FILES
      # variable, this will save the variable in this file to env for Dockle
      - name: Set any acceptable Dockle files
        run: |
          if grep -q "^DOCKLE_ACCEPT_FILES=.*" ${{ steps.dockle-config.outputs.found_file }}; then
            grep -s '^DOCKLE_ACCEPT_FILES=' ${{ steps.dockle-config.outputs.found_file }} >> "$GITHUB_ENV"
          fi

      - name: Run Dockle container linter
        uses: erzz/dockle-action@v1.3.1
        with:
          image: ${{ steps.build-image.outputs.image }}
          exit-code: "1"
          failure-threshold: WARN
          accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }}

      - name: Save output to workflow summary
        if: always() # Runs even if there is a failure
        run: |
          {
            echo '```json'
            cat dockle-report.json
            echo '```'
          } >> "$GITHUB_STEP_SUMMARY"