Skip to content

Security scan

Security scan #2853

Workflow file for this run

name: Security scan
on:
push:
branches:
- renovate/**
pull_request:
schedule:
- cron: "14 3 * * *" # Daily at 3:14 AM
jobs:
build:
name: Build and scan image
runs-on: ubuntu-latest
env: # Variables as understood by docker-build.sh
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: ci
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Download integrations
run: go run downloader.go
- name: Build and load docker image for linux/amd64
run: |
DOCKER_PLATFORMS=linux/amd64 ./docker-build.sh . --load
- name: Run Trivy in table mode
# Table output is only useful when running on a pull request or push.
if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.DOCKER_IMAGE }}:${{ env.DOCKER_IMAGE_TAG }}
format: table
exit-code: 1
ignore-unfixed: true
severity: "CRITICAL,HIGH"
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
- name: Run Trivy in report mode
# Only generate sarif when running nightly on the main branch.
if: ${{ github.event_name == 'schedule' }}
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.DOCKER_IMAGE }}:${{ env.DOCKER_IMAGE_TAG }}
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
ignore-unfixed: false # Get full report when running nightly.
severity: "CRITICAL,HIGH"
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
- name: Upload Trivy scan results to GitHub Security tab
# Only upload sarif when running nightly on the main branch.
if: ${{ github.event_name == 'schedule' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
notify-failure:
if: ${{ github.event_name == 'schedule' && failure() }}
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Notify failure via Slack
uses: archive/github-actions-slack@master
with:
slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }}
slack-channel: ${{ secrets.CAOS_COREINT_SLACK_CHANNEL }}
slack-text: "❌ `'newrelic/infrastructure-bundle'`: [security pipeline failed](${{ github.server_url }}/newrelic/infrastructure-bundle/actions/runs/${{ github.run_id }})."