Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup trivy scanning #27

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Setup trivy scanning #27

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ac358ac
Setup trivy scanning
eswdd Mar 25, 2022
9430dd3
Add trivy scanning whenever doing docker build
eswdd Mar 28, 2022
58a2d80
Delete docker.yaml
eswdd Mar 28, 2022
e360baf
Create docker.yaml
eswdd Mar 28, 2022
91dc847
Delete trivy.yml
eswdd Mar 28, 2022
30daa36
Update docker.yaml
eswdd Mar 28, 2022
9fc631c
Update docker.yaml
eswdd Mar 28, 2022
2c69f99
Update docker.yaml
eswdd Mar 28, 2022
992d4f8
Update docker.yaml
eswdd Mar 28, 2022
025d2d2
Try running docker push on branch
eswdd Mar 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 26 additions & 3 deletions .github/workflows/docker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:

tags:
- v*
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]

env:
IMAGE_NAME: thanos-remote-read
Expand All @@ -21,17 +24,22 @@ jobs:

- name: Build image
run: docker build -t image .

- name: Sanitize repo slug
uses: actions/github-script@v4
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should use the latest version of this action

Suggested change
uses: actions/github-script@v4
uses: actions/github-script@v6

id: github_id
with:
result-encoding: string
script: return 'docker.pkg.github.com/${{ github.repository }}/${{ env.IMAGE_NAME }}'.toLowerCase()

- name: Log into registry
if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login docker.pkg.github.com -u ${{ github.actor }} --password-stdin
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin

- name: Push image
if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
run: |
GITHUB_ID="docker.pkg.github.com/${{ github.repository }}/$IMAGE_NAME"
GITHUB_ID="${{ steps.github_id.outputs.result }}"
DOCKERHUB_ID="gresearchdev/$IMAGE_NAME"

# Change all uppercase to lowercase for github
Expand All @@ -58,3 +66,18 @@ jobs:
docker tag image $DOCKERHUB_ID:latest
docker push $DOCKERHUB_ID:latest
fi


- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
with:
image-ref: '${{ steps.github_id.outputs.result }}:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
Comment on lines +71 to +83
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to scan the image before we push it, to avoid pushing known vulnerable images.

In that case, we may want to refactor further, by using the proper image name straight for building, instead of image.