-
Notifications
You must be signed in to change notification settings - Fork 105
162 lines (148 loc) · 7.58 KB
/
trivy-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: Trivy CVE Dependency Scanner
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
scan-latest-release:
runs-on: ubuntu-latest
steps:
- name: Get Latest Release Docker Image Sha
id: latest-sha
run: |
set -eo pipefail
# Get the latest released docker image sha
curl -sL https://api.github.com/repos/carvel-dev/kapp-controller/releases/latest | jq -r '.assets[] | select(.name | contains("release.yml")).browser_download_url' | wget -i -
echo "image=$(yq eval '.spec.template.spec.containers[0].image' release.yml -N -oj | jq 'select(. != null)' -r)" >> $GITHUB_OUTPUT
echo "tag=$(curl -sL https://api.github.com/repos/carvel-dev/kapp-controller/releases/latest | jq -r '.tag_name')" >> $GITHUB_OUTPUT
- name: Install Trivy
run: |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Run Trivy
run: |
trivy image ${{ steps.latest-sha.outputs.image }}
trivy image --format json --output trivy-results-image-latest.json ${{ steps.latest-sha.outputs.image }}
- name: Check for new Vulnerabilities
run: |
set -eo pipefail
summary="Trivy scan has found \"new\" vulnerabilities in ${{steps.latest-sha.outputs.tag}} check https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
vulnCount=$(jq '[ .Results[].Vulnerabilities ] | length' trivy-results-image-latest.json)
if [[ $vulnCount -eq 0 ]]; then
summary="Trivy Scan has not found any new Security Issues in ${{steps.latest-sha.outputs.tag}}"
fi
echo "SUMMARY=$summary" >> "$GITHUB_ENV"
- name: Send Slack Notification
if: success()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "${{ env.SUMMARY }}"
- name: Send Failure notification
if: failure()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "Trivy scan workflow [${{steps.latest-sha.outputs.tag}}] failed. Please check the latest github action run for trivy scanner."
scan-develop-branch:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/[email protected]
with:
fetch-depth: 0
- name: Set up Go 1.x
uses: actions/setup-go@v5
with:
go-version: 1.21.11
- name: Build the kapp-controller artifacts
run: |
./hack/install-deps.sh
./hack/build.sh
# docker image
docker buildx build -t docker.io/carvel/kapp-controller:${{ github.sha }} .
# kctrl
cd cli
./hack/build.sh
mv ./kctrl ../
- name: Install Trivy
run: |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Read dismissed CVEs from Github
run: |
set -o pipefail
trap 'on_error' ERR
on_error() {
echo "the curl reply was:"
cat cves.txt
}
curl https://api.github.com/repos/carvel-dev/kapp-controller/code-scanning/alerts \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' > cves.txt
cat cves.txt| jq '.[] | select(.state == "dismissed" or .state == "closed" or .state == "fixed") | .rule.id' | tr -d '"' > .trivyignore
- name: Run Trivy Reports
run: |
set -o pipefail
# kapp-controller binary - output in sarif and json
trivy rootfs --ignore-unfixed --format sarif --output trivy-results.sarif "controller"
trivy rootfs --ignore-unfixed --format json --output trivy-results.json "controller"
# kapp-controller docker image - output in sarif and json
trivy image --ignore-unfixed --format sarif --output trivy-results-image.sarif "docker.io/carvel/kapp-controller:${{ github.sha }}"
trivy image --ignore-unfixed --format json --output trivy-results-image.json "docker.io/carvel/kapp-controller:${{ github.sha }}"
# kctrl binary - output in sarif and json
trivy rootfs --ignore-unfixed --format sarif --output trivy-results-kctrl.sarif "kctrl"
trivy rootfs --ignore-unfixed --format json --output trivy-results-kctrl.json "kctrl"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: '.'
- name: Create Issues Summary
id: cve-summary
run: |
set -eo pipefail
summary_binary=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results.json | tr -d \\ | tr -d '"')
summary_image=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results-image.json | tr -d \\ | tr -d '"')
summary_kctrl=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results-kctrl.json | tr -d \\ | tr -d '"')
summary=$( echo -e "Binary Image Summary:\n$summary_binary\nDocker Image Summary:\n$summary_image\nkctrl Summary:\n$summary_kctrl")
# Escape '%', '\n' and '\r' to support multiline strings with set-output
# https://github.com/orgs/community/discussions/26288
summary="${summary//'%'/'%25'}"
summary="${summary//$'\n'/'%0A'}"
summary="${summary//$'\r'/'%0D'}"
if [[ -n $summary_binary || -n $summary_image || -n $summary_kctrl ]]
then
echo "Summary: $summary"
echo "summary=$summary" >> $GITHUB_OUTPUT
else
echo "No new Issues were found"
fi
- name: Send Slack Notification if Scan Ran Successfully
if: steps.cve-summary.outputs.summary != ''
uses: slackapi/[email protected]
with:
slack-message: "New CVEs found! Check https://github.com/carvel-dev/kapp-controller/security/code-scanning for details \n ${{ steps.cve-summary.outputs.summary }}"
channel-id: C010XR15VHU
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
- name: Send Failure notification
if: failure()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "Trivy scan workflow failed. Check: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}."