-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add docker image vulnerability scanning with trivy
- Loading branch information
1 parent
f4ac6f8
commit a3211f0
Showing
1 changed file
with
117 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
on: | ||
pull_request: | ||
branches: [develop, release/**] | ||
workflow_dispatch: | ||
|
||
jobs: | ||
client-dependencies: | ||
name: Client dependency check | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@master | ||
|
||
- name: Run Snyk to check for vulnerabilities | ||
uses: snyk/actions/node@master | ||
continue-on-error: true # To make sure that SARIF upload gets called | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
with: | ||
args: --severity-threshold=high --fail-on=upgradable --sarif-file-output=snyk.sarif | ||
|
||
- name: Upload result to GitHub Code Scanning | ||
uses: github/codeql-action/upload-sarif@v1 | ||
with: | ||
sarif_file: snyk.sarif | ||
|
||
server-dependencies: | ||
name: Server dependency check | ||
runs-on: ubuntu-latest | ||
defaults: | ||
run: | ||
working-directory: ./api | ||
steps: | ||
- uses: actions/checkout@master | ||
|
||
- name: Download dependencies | ||
run: go get -v -d | ||
|
||
- name: Run Snyk to check for vulnerabilities | ||
uses: snyk/actions/golang@master | ||
continue-on-error: true # To make sure that SARIF upload gets called | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
with: | ||
args: --severity-threshold=high --sarif-file-output=snyk.sarif --file=./api/go.mod | ||
|
||
- name: Upload result to GitHub Code Scanning | ||
uses: github/codeql-action/upload-sarif@v1 | ||
with: | ||
sarif_file: snyk.sarif | ||
|
||
build_app: | ||
name: Build app and api and docker image | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@master | ||
|
||
- name: Use golang 1.17.x | ||
uses: actions/setup-go@v3 | ||
with: | ||
go-version: '>=1.17.0' | ||
|
||
- name: Use Node.js 12.x | ||
uses: actions/setup-node@v1 | ||
with: | ||
node-version: 12.x | ||
|
||
- name: Install packages and build | ||
run: yarn install && yarn build | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v1 | ||
|
||
- name: Build and push | ||
uses: docker/build-push-action@v2 | ||
with: | ||
context: . | ||
file: build/linux/Dockerfile | ||
tags: trivy-portainer:${{ github.sha }} | ||
outputs: type=docker,dest=/tmp/trivy-portainer-image.tar | ||
|
||
- name: Upload artifact | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: image-artifact | ||
path: /tmp/trivy-portainer-image.tar | ||
|
||
image-vulnerability: | ||
name: Image vulnerability check | ||
needs: [build_app] | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@master | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v1 | ||
|
||
- name: Download image artifact | ||
uses: actions/download-artifact@v3 | ||
with: | ||
name: image-artifact | ||
path: /tmp | ||
|
||
- name: Load docker image | ||
run: | | ||
docker load --input /tmp/trivy-portainer-image.tar | ||
- name: Run Trivy vulnerability scanner | ||
uses: docker://docker.io/aquasec/trivy:latest | ||
continue-on-error: true # To make sure that SARIF upload gets called | ||
with: | ||
args: image --ignore-unfixed=true --vuln-type="os,library" --severity="CRITICAL,HIGH,MEDIUM" --exit-code=1 --format="sarif" --output="trivy-results.sarif" --no-progress trivy-portainer:${{ github.sha }} | ||
|
||
- name: Upload Trivy scan results to GitHub Code Scanning | ||
uses: github/codeql-action/upload-sarif@v1 | ||
with: | ||
sarif_file: 'trivy-results.sarif' |