Skip to content

Commit

Permalink
change security scanning so PR pipelines only error on vulnerabilitie…
Browse files Browse the repository at this point in the history
…s introduced in the PR
  • Loading branch information
rikukissa committed Oct 28, 2024
1 parent 0e9407f commit 445ba2e
Show file tree
Hide file tree
Showing 5 changed files with 140 additions and 23 deletions.
61 changes: 54 additions & 7 deletions .github/workflows/build-images-from-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,14 @@ on:
description: Branch to build from
default: develop
required: true
push:
pull_request:
branches-ignore:
- 'dependabot/**'
- 'renovate/**'
push:
branches:
- develop
- main
jobs:
base:
runs-on: ubuntu-22.04
Expand All @@ -29,7 +33,7 @@ jobs:
ref: '${{ github.event.inputs.branch_name }}'

- uses: actions/checkout@v4
if: github.event_name == 'push'
if: github.event_name == 'push' || github.event_name == 'pull_request'

- name: Set version and branch
id: set-version-and-branch
Expand All @@ -38,6 +42,8 @@ jobs:
echo "version=$VERSION" >> $GITHUB_OUTPUT
if [ "${{ github.event_name }}" == 'push' ]; then
BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
elif [ "${{ github.event_name }}" == 'pull_request' ]; then
BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
else
BRANCH=${{ inputs.branch_name }}
fi
Expand Down Expand Up @@ -90,7 +96,7 @@ jobs:
ref: '${{ github.event.inputs.branch_name }}'

- uses: actions/checkout@v4
if: github.event_name == 'push'
if: github.event_name == 'push' || github.event_name == 'pull_request'

- name: Login to DockerHub
uses: docker/login-action@v3
Expand All @@ -113,11 +119,52 @@ jobs:
cache-from: type=registry,ref=opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.branch }}
cache-to: type=inline

security-scans-pr:
needs: [build, base]
runs-on: ubuntu-22.04
if: github.event_name == 'pull_request'
strategy:
matrix:
service: ${{ fromJSON(needs.base.outputs.services) }}
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'opencrvs/ocrvs-${{ matrix.service }}:${{ github.event.pull_request.base.ref }}'
trivy-config: trivy.yaml
format: 'sarif'
output: './trivy-results-base.sarif'

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.version }}'
trivy-config: trivy.yaml
format: 'sarif'
output: './trivy-results-branch.sarif'

- name: Remove lines that are always expected to be different
run: |
sed -i '/"uri": "file:\/\/\/github\/workspace\/base\//d' ${{ github.workspace }}/trivy-results-base.sarif
sed -i '/"uri": "file:\/\/\/github\/workspace\/branch\//d' ${{ github.workspace }}/trivy-results-branch.sarif
- name: Diff Trivy results
run: diff -u ./trivy-results-base.sarif ./trivy-results-branch.sarif

security-scans-develop:
needs: [build, base]
runs-on: ubuntu-22.04
if: ${{ needs.base.outputs.branch == 'develop' }}
strategy:
fail-fast: false
matrix:
service: ${{ fromJSON(needs.base.outputs.services) }}
steps:
- name: Run Trivy vulnerability scanner
# Skip temporarily for non-develop branches because of
# a TOOMANYREQUESTS error failing the check
# https://github.com/aquasecurity/trivy/discussions/7591
uses: aquasecurity/trivy-[email protected]
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
with:
image-ref: 'opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.version }}'
trivy-config: trivy.yaml
13 changes: 0 additions & 13 deletions .github/workflows/lint-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -137,16 +137,3 @@ jobs:
- name: Run Unit Test
if: steps.check-scripts.outputs.skip != 'true' && steps.check-scripts.outputs.skip-test != 'true'
run: cd ${{ matrix.package }} && yarn test

security-scans:
needs: setup
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml
5 changes: 4 additions & 1 deletion .github/workflows/publish-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,10 @@ jobs:
.trivyignore.yaml
sparse-checkout-cone-mode: false
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
with:
image-ref: 'opencrvs/ocrvs-${{ matrix.service }}:${{ needs.base.outputs.version }}'
trivy-config: trivy.yaml
79 changes: 79 additions & 0 deletions .github/workflows/security-scans.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
#
# OpenCRVS is also distributed under the terms of the Civil Registration
# & Healthcare Disclaimer located at http://opencrvs.org/license.
#
# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
name: Scan files for vulnerabilities

on:
push:
branches:
- develop
pull_request:

jobs:
security-scan-development:
if: github.event_name == 'push' && github.ref == 'refs/heads/develop'
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml

security-scan-pull-request:
if: github.event_name == 'pull_request'
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.ref }}
path: 'base'

- name: Checkout code
uses: actions/checkout@v4
with:
path: 'branch'

- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
with:
scan-type: 'fs'
scan-ref: 'base'
trivy-config: ./base/trivy.yaml
format: 'sarif'
output: './trivy-results-base.sarif'

- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
with:
scan-type: 'fs'
scan-ref: 'branch'
trivy-config: ./branch/trivy.yaml
format: 'sarif'
output: './trivy-results-branch.sarif'

- name: Remove lines that are always expected to be different
run: |
sed -i '/"uri": "file:\/\/\/github\/workspace\/base\//d' ${{ github.workspace }}/trivy-results-base.sarif
sed -i '/"uri": "file:\/\/\/github\/workspace\/branch\//d' ${{ github.workspace }}/trivy-results-branch.sarif
- name: Diff Trivy results
run: diff -u ./trivy-results-base.sarif ./trivy-results-branch.sarif
5 changes: 3 additions & 2 deletions trivy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,12 @@ scan:
- sequence-diagrams
- usr/local/share/.cache/yarn/v6/
- home/node/.cache/yarn/v6
skip-files:
- Dockerfile.dockerignore
- packages/*/Dockerfile.dockerignore
scanners:
- vuln
- misconfig
ignorefile: .trivyignore.yaml
vulnerability:
ignore-unfixed: true
db:
repository: 'public.ecr.aws/aquasecurity/trivy-db'

0 comments on commit 445ba2e

Please sign in to comment.