diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..d72988c --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,113 @@ +name: Trivy + +on: + schedule: + - cron: '0 10 * * *' + +jobs: + list-branches-to-scan: + runs-on: ubuntu-latest + outputs: + branches: ${{ steps.branches.outputs.branches }} + steps: + - name: Checking out repo + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: List branches to scan + id: branches + run: | + # regex matches branches like + # origin/1.28 + # origin/v1.1 + # origin/release-1.30 + # origin/master + # origin/main + BRANCHES=$(git branch -r | grep -E '^ origin\/(((v|release-)?[0-9]+.[0-9]+)|main)$' | \ + sed -e 's#^ origin/##' | jq -R -s -c 'split("\n")[:-1]') + echo "branches=$(echo $BRANCHES)" >> $GITHUB_OUTPUT + scan-fs: + runs-on: ubuntu-latest + needs: list-branches-to-scan + strategy: + matrix: + branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }} + permissions: + security-events: write + steps: + - name: Checking out repo + uses: actions/checkout@v4 + with: + ref: ${{ matrix.branch }} + fetch-depth: 0 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + ignore-unfixed: true + format: "sarif" + output: "output.sarif" + severity: "MEDIUM,HIGH,CRITICAL" + env: + TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db" + - name: Get commit sha + run: | + SHA="$(git rev-parse HEAD)" + echo "head_sha=$SHA" >> "$GITHUB_ENV" + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "output.sarif" + sha: ${{ env.head_sha }} + ref: refs/heads/${{ matrix.branch }} + scan-container: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - uses: actions/github-script@v7 + id: read-tag + with: + script: | + let package_type = "container" + let org = context.repo.owner + let package_name = context.repo.repo + const { data: packages } = await github.request('GET /orgs/{org}/packages/{package_type}/{package_name}/versions', { + package_type: package_type, + package_name: package_name, + org: org, + headers: { + 'X-GitHub-Api-Version': '2022-11-28' + } + }) + return { + git_tag: packages[0].metadata.container.tags[0].split("-")[0], + container_tag: packages[0].metadata.container.tags[0] + } + - name: Checking out repo + uses: actions/checkout@v4 + with: + ref: "rawfile-csi-${{ fromJson(steps.read-tag.outputs.result).git_tag }}" + fetch-depth: 0 + - name: Get commit sha + run: | + SHA="$(git rev-parse HEAD)" + echo "head_sha=$SHA" >> "$GITHUB_ENV" + + - name: Run Trivy vulnerability scanner in image mode + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: "ghcr.io/${{ github.repository }}:${{ fromJson(steps.read-tag.outputs.result).container_tag }}" + ignore-unfixed: true + format: 'template' + template: '@/contrib/sarif.tpl' + output: "output.sarif" + severity: "MEDIUM,HIGH,CRITICAL" + env: + TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db" + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "output.sarif" + ref: refs/tags/rawfile-csi-${{ fromJson(steps.read-tag.outputs.result).git_tag }} + sha: ${{ env.head_sha }}