🔍 Security scanner #263
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🔍 Security scanner | |
| on: | |
| schedule: | |
| # Scheduled to run in the morning (PT) on every day-of-week from Monday through Friday. | |
| - cron: '0 15 * * 1-5' | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Tag to scan' | |
| required: false | |
| default: 'latest' | |
| jobs: | |
| docker-trivy: | |
| name: Trivy scanner for docker | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| image: | |
| - nrdot-collector | |
| - nrdot-collector-experimental | |
| - nrdot-collector-host | |
| - nrdot-collector-k8s | |
| steps: | |
| - name: Determine image tag to scan | |
| run: | | |
| if [ -z "${{ inputs.tag }}" ]; then | |
| echo "Workflow triggered via cron, scanning latest tag" | |
| echo "tag_to_scan=latest" >> $GITHUB_ENV | |
| else | |
| echo "tag_to_scan=${{ inputs.tag }}" >> $GITHUB_ENV | |
| fi | |
| - name: Run Trivy image vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.29.0 | |
| with: | |
| image-ref: newrelic/${{ matrix.image }}:${{ env.tag_to_scan }} | |
| format: sarif | |
| output: trivy-${{ matrix.image }}-results.sarif | |
| vuln-type: os,library | |
| severity: CRITICAL,HIGH | |
| exit-code: 1 | |
| ignore-unfixed: true | |
| limit-severities-for-sarif: true | |
| env: | |
| # dbs are downloaded async in download_trivy_db.yml | |
| TRIVY_SKIP_DB_UPDATE: true | |
| TRIVY_SKIP_JAVA_DB_UPDATE: true | |
| - name: Print Trivy scan results # action can't do both table/sarif output, so we just print the sarif file | |
| if: ${{ (success() || failure()) && env.tag_to_scan == 'latest' }} | |
| run: | | |
| if [[ -s trivy-${{ matrix.image }}-results.sarif ]]; then | |
| cat trivy-${{ matrix.image }}-results.sarif | |
| else | |
| echo "No sarif file found" | |
| fi | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| # Upload sarif only for latest | |
| if: ${{ (success() || failure()) && env.tag_to_scan == 'latest' }} | |
| with: | |
| category: "trivy-${{ matrix.image }}" | |
| sarif_file: "trivy-${{ matrix.image }}-results.sarif" | |
| - name: Send notification to Slack Workflow | |
| if: ${{ failure() && env.tag_to_scan == 'latest' }} | |
| uses: slackapi/slack-github-action@v2.0.0 | |
| with: | |
| webhook: ${{ secrets.OTELCOMM_BOTS_SLACK_HOOK }} | |
| webhook-type: incoming-webhook | |
| # This data can be any valid JSON from a previous step in the GitHub Action | |
| payload: | | |
| text: ":rotating_light: Hi from your Github Action, vulnerabilities found in NRDOT ${{ matrix.image }}:${{ env.tag_to_scan }}, see: https://github.com/newrelic/nrdot-collector-releases/security :rotating_light:" |