diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 28aba056f..60cc1d31a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,15 +153,22 @@ jobs: run: go build -o ./cx ./cmd - name: Build Docker image run: docker build -t ast-cli:${{ github.sha }} . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 #0.20.0 + - name: Run Trivy scanner without downloading DBs + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 #v0.28.0 with: - image-ref: 'ast-cli:${{ github.sha }}' + scan-type: 'image' + image-ref: ast-cli:${{ github.sha }} format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' + output: './trivy-image-results.txt' severity: 'CRITICAL,HIGH,MEDIUM,LOW' - - + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true + + - name: Inspect action report + if: always() + shell: bash + run: cat ./trivy-image-results.txt \ No newline at end of file diff --git a/.github/workflows/one-scan.yml b/.github/workflows/one-scan.yml index aaefa089a..9a48e5d22 100644 --- a/.github/workflows/one-scan.yml +++ b/.github/workflows/one-scan.yml @@ -1,23 +1,25 @@ name: Checkmarx One Scan - on: workflow_dispatch: pull_request: push: branches: - main + schedule: + - cron: '00 7 * * *' # Every day at 07:00 jobs: cx-scan: + name: Checkmarx One Scan runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Checkmarx One CLI Action - uses: checkmarx/ast-github-action@6c56658230f79c227a55120e9b24845d574d5225 # main + uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81 # v.2.0.36 with: base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} - additional_params: --tags phoenix --threshold "sast-high=1;sast-medium=1;sast-low=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;sca-high=1;sca-medium=1;sca-low=1" + additional_params: --tags phoenix --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1" \ No newline at end of file diff --git a/.github/workflows/trivy-cache.yml b/.github/workflows/trivy-cache.yml new file mode 100644 index 000000000..e1acf556f --- /dev/null +++ b/.github/workflows/trivy-cache.yml @@ -0,0 +1,39 @@ +# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans. +# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Setup oras + uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c #v1.2.1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + #- name: Download and extract the Java DB + # run: | + # mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + # oras pull ghcr.io/aquasecurity/trivy-java-db:1 + # tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + # rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a #v4.1.2 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file