-
Notifications
You must be signed in to change notification settings - Fork 6
99 lines (90 loc) · 3.79 KB
/
scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, builds an image, performs a container image
# vulnerability scan with Trivy tool, and integrates the results with GitHub Advanced Security
# code scanning feature.
name: Container Scan
on:
push:
branches: [ "master", "develop" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master", "develop" ]
workflow_dispatch:
schedule:
- cron: '00 07 * * *'
permissions:
contents: read
env:
DOCKERFILE: Dockerfile
jobs:
BuildAndScan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
- name: Build the Docker image
run: docker build . --file ${{ env.DOCKERFILE }} --tag localbuild/testimage:latest
- name: Run the Trivy scan action itself with GitHub Advanced Security code scanning integration enabled
id: scan
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f #v0.12.0
with:
image-ref: "localbuild/testimage:latest"
format: 'sarif'
output: 'results.sarif'
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e #v2.20.0
with:
sarif_file: 'results.sarif'
- name: CVE Description escaped extraction and print
run: |
SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
echo $SCAN_RESULTS
- name: Fails if CVE HIGH or CRITICAL are detected
id: cve-threshold
if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
run: exit 1
SendSlackNotification:
needs: BuildAndScan
uses: ./.github/workflows/send-slack-notification.yml
with:
CVE_CRITICAL: ${{env.CVE_CRITICAL}}
CVE_HIGH: ${{env.CVE_HIGH}}
CVE_MEDIUM: ${{env.CVE_MEDIUM}}
secrets: inherit
# - name: Send notification to Slack
# id: slack
# if: always() && github.event_name == 'schedule' && steps.cve-threshold.outcome == 'failure'
# uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 #v1.24.0
# with:
# payload: |
# {
# "blocks": [
# {
# "type": "header",
# "text": {
# "type": "plain_text",
# "text": "[ ${{ github.event.repository.name }} ]"
# }
# },
# {
# "type": "section",
# "text": {
# "type": "mrkdwn",
# "text": " `CRITICAL` : *${{ env.CVE_CRITICAL }}*\n\n`HIGH` : *${{ env.CVE_HIGH }}*\n\n`MEDIUM` : *${{ env.CVE_MEDIUM }}*\n\n<https://github.com/${{ github.repository }}/security/code-scanning |See details on GitHub>"
# }
# }
# ]
# }
# env:
# SLACK_WEBHOOK_URL: ${{ secrets.CVE_SCAN_SLACK_WEBHOOK }}
# SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK