Skip to content

Commit

Permalink
also mirror checks
Browse files Browse the repository at this point in the history
  • Loading branch information
rikukissa committed Oct 28, 2024
1 parent 46a5e5e commit 5c3ed26
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 12 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/build-images-from-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -127,13 +127,16 @@ jobs:
matrix:
service: ${{ fromJSON(needs.base.outputs.services) }}
steps:
- uses: actions/checkout@v4

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'opencrvs/ocrvs-${{ matrix.service }}:${{ github.event.pull_request.base.ref }}'
trivy-config: trivy.yaml
format: 'sarif'
output: './trivy-results-base.sarif'
exit-code: '0'

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
Expand All @@ -142,6 +145,7 @@ jobs:
trivy-config: trivy.yaml
format: 'sarif'
output: './trivy-results-branch.sarif'
exit-code: '0'

- name: Remove lines that are always expected to be different
run: |
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/mirror-trivy-db.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,3 +73,6 @@ jobs:

- name: Mirror trivy-java-db to GHCR
run: ./mirror-image.sh docker://ghcr.io/aquasecurity/trivy-java-db:1 docker://ghcr.io/${{ github.repository_owner }}/trivy-java-db:1 ${{ env.RETRIES }}

- name: Mirror trivy-checks to GHCR
run: ./mirror-image.sh docker://ghcr.io/aquasecurity/trivy-checks:1 docker://ghcr.io/${{ github.repository_owner }}/trivy-checks:1 ${{ env.RETRIES }}
14 changes: 5 additions & 9 deletions .github/workflows/security-scans.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,32 +48,28 @@ jobs:

- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
with:
scan-type: 'fs'
scan-ref: 'base'
trivy-config: ./base/trivy.yaml
trivy-config: ./branch/trivy.yaml
format: 'sarif'
output: './trivy-results-base.sarif'
exit-code: '0'

- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
with:
scan-type: 'fs'
scan-ref: 'branch'
trivy-config: ./branch/trivy.yaml
format: 'sarif'
output: './trivy-results-branch.sarif'
exit-code: '0'

- name: Remove lines that are always expected to be different
run: |
sed -i '/"uri": "file:\/\/\/github\/workspace\/base\//d' ${{ github.workspace }}/trivy-results-base.sarif
sed -i '/"uri": "file:\/\/\/github\/workspace\/branch\//d' ${{ github.workspace }}/trivy-results-branch.sarif
sed -i '/"uri": "file:\/\/\/home\/runner\/work\/opencrvs-core\/opencrvs-core\/base\/"/d' ./trivy-results-base.sarif
sed -i '/"uri": "file:\/\/\/home\/runner\/work\/opencrvs-core\/opencrvs-core\/branch\/"/d' ./trivy-results-branch.sarif
- name: Diff Trivy results
run: diff -u ./trivy-results-base.sarif ./trivy-results-branch.sarif
10 changes: 7 additions & 3 deletions trivy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,16 @@ scan:
- sequence-diagrams
- usr/local/share/.cache/yarn/v6/
- home/node/.cache/yarn/v6
skip-files:
- Dockerfile.dockerignore
- packages/*/Dockerfile.dockerignore
scanners:
- vuln
- misconfig
ignorefile: .trivyignore.yaml
vulnerability:
ignore-unfixed: true
db:
repository: 'ghcr.io/opencrvs/trivy-db'
java:
db:
repository: 'ghcr.io/opencrvs/trivy-java-db'
policies-bundle:
repository: 'ghcr.io/opencrvs/trivy-checks'

0 comments on commit 5c3ed26

Please sign in to comment.