blockchain-wallet-exporter/.github/workflows/01-sca-trivy-repo.yaml at main · zama-ai/blockchain-wallet-exporter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: 01-sca-trivy-repo

description: |
    This workflows uses Trivy to scan for vulnerabilities, leaked secrets and misconfigurations in the repository.
    Trivy generates 3 reports (HTML, SARIF and JSON), publish them as artifacts, at the same time send activity to stdout.
    Finally, you have the option of uploading SARIF report to Github Security Hub. This works only with Github Enterprise/private repos or public repos.

on:
  push:
    branches:
      - '**'
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+"
#   pull_request:
#     branches:
#       - main
  workflow_dispatch:
    inputs:
        import_sarif_into_github:
            description: "Import SARIF Trivy report into GitHub Security Hub"
            type: choice
            required: true
            default: "do-not-import-it"
            options:
            - "import-it"
            - "do-not-import-it"

jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
      DATE_BUILD: ${{ steps.myvars.outputs.DATE_BUILD }}
      GIT_HASH_SHORT: ${{ steps.myvars.outputs.GIT_HASH_SHORT }}
      GH_ORG_REPO_NAME: ${{ steps.myvars.outputs.GH_ORG_REPO_NAME }}

    steps:
      - name: Checkout parent Repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683     # v4.2.2
        with:
          submodules: true
          fetch-depth: 0

      - name: Set global vars
        id: myvars
        run: |
          DATE_BUILD=$(date +%y%m%d_%H%M%S)
          GIT_HASH_SHORT=$(git rev-parse --short HEAD)
          GH_ORG_REPO_NAME=$( echo ${{ github.repository }} | tr -d ' ' | sed -E 's|/|_|g' )

          ## Set global vars
          echo "DATE_BUILD=$DATE_BUILD" >> $GITHUB_OUTPUT
          echo "GIT_HASH_SHORT=$GIT_HASH_SHORT" >> $GITHUB_OUTPUT
          echo "GH_ORG_REPO_NAME=$GH_ORG_REPO_NAME" >> $GITHUB_OUTPUT

  run-trivy:
    runs-on: ubuntu-latest
    needs: [prepare]
    steps:
      - name: Checkout parent Repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683    # v4.2.2
        with:
          submodules: true
          fetch-depth: 0

      - name: Generate Trivy reports
        id: run_trivy
        if: success() || failure()
        run: |
            echo "=============== [ Installing Trivy and scan2html plugin ]"
            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.69.3
            trivy -v
            trivy plugin install github.com/fatihtokus/scan2html

            REPORT_TITLE_REPO_VALUE="[ ${{ needs.prepare.outputs.GH_ORG_REPO_NAME }} | ${{ needs.prepare.outputs.GIT_HASH_SHORT }} | ${{ needs.prepare.outputs.DATE_BUILD }} ]"
            REPORT_FILE_NAME="${{ needs.prepare.outputs.GH_ORG_REPO_NAME }}.${{ needs.prepare.outputs.GIT_HASH_SHORT }}.${{ needs.prepare.outputs.DATE_BUILD }}"
            TARGET_CHILD_REPO_TO_SCAN="."

            ## Set vars
            echo "REPORT_FILE_NAME=$REPORT_FILE_NAME" >> $GITHUB_OUTPUT

            ## Send report to stdout
            trivy fs \
            --scanners secret,vuln,misconfig \
            --quiet \
            ${TARGET_CHILD_REPO_TO_SCAN}/

            ## Generates sarif report
            trivy fs -f sarif \
            --scanners vuln,misconfig \
            --quiet \
            ${TARGET_CHILD_REPO_TO_SCAN}/  \
            -o trivy.${REPORT_FILE_NAME}.sarif

            ## Generates json report
            trivy fs -f json \
            --scanners vuln,misconfig \
            --quiet \
            ${TARGET_CHILD_REPO_TO_SCAN}/  \
            -o trivy.${REPORT_FILE_NAME}.json

            ## Transform json report to html report
            trivy scan2html generate \
            --scan2html-flags --with-epss \
            --output trivy.${REPORT_FILE_NAME}.html \
            --report-title "$REPORT_TITLE_REPO_VALUE" \
            --from trivy.${REPORT_FILE_NAME}.json &> /dev/null

            echo "=============== [ List of Trivy reports generated ]"
            find . -type f -iregex ".*/trivy\..*\..+" | grep -E "json|sarif|html"

            echo "=============== [ Import SARIF Trivy Report into GitHub Security Hub: ${{ github.event.inputs.import_sarif_into_github }}]"

      - name: Upload Trivy reports as Artifacts
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882    # v4.4.3
        if: success() || failure()
        with:
          name: trivy.reports.${{ steps.run_trivy.outputs.REPORT_FILE_NAME }}
          path: |
            trivy.*.html
            trivy.*.sarif
            trivy.*.json

      # Works in public repos always and only with private repos in GH Enterprise + Advanced Security.
      # Set true if you have GH Enterprise + Advanced Security enabled for private repos.
      - name: Load Trivy SARIF Report to GitHub Security Hub
        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f    # v3.27.4
        if: false
        with:
          sarif_file: trivy.${{ steps.run_trivy.outputs.REPORT_FILE_NAME }}.sarif
          category: sca-trivy-repo