-
Notifications
You must be signed in to change notification settings - Fork 26
132 lines (115 loc) · 4.34 KB
/
trivyscan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Trivy scan image for vulnerabilities
on:
workflow_dispatch:
pull_request:
branches:
- main
paths:
- 'environments/.stackhpc/terraform/cluster_image.auto.tfvars.json'
jobs:
scan:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.build }} # to branch/PR + build
cancel-in-progress: true
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
build: ["RL8", "RL9"]
env:
JSON_PATH: environments/.stackhpc/terraform/cluster_image.auto.tfvars.json
OS_CLOUD: openstack
CI_CLOUD: ${{ vars.CI_CLOUD }}
steps:
- uses: actions/checkout@v2
- name: Override CI_CLOUD if PR label is present
if: ${{ github.event_name == 'pull_request' }}
run: |
# Iterate over the labels
labels=$(echo '${{ toJSON(github.event.pull_request.labels) }}' | jq -r '.[].name')
echo $labels
for label in $labels; do
if [[ $label == CI_CLOUD=* ]]; then
# Extract the value after 'CI_CLOUD='
CI_CLOUD_OVERRIDE=${label#CI_CLOUD=}
echo "CI_CLOUD=${CI_CLOUD_OVERRIDE}" >> $GITHUB_ENV
fi
done
- name: Record settings for CI cloud
run: |
echo CI_CLOUD: ${{ env.CI_CLOUD }}
- name: Setup ssh
run: |
set -x
mkdir ~/.ssh
echo "${{ secrets[format('{0}_SSH_KEY', env.CI_CLOUD)] }}" > ~/.ssh/id_rsa
chmod 0600 ~/.ssh/id_rsa
shell: bash
- name: Add bastion's ssh key to known_hosts
run: cat environments/.stackhpc/bastion_fingerprints >> ~/.ssh/known_hosts
shell: bash
- name: setup environment
run: |
python3 -m venv venv
. venv/bin/activate
pip install -U pip
pip install $(grep -o 'python-openstackclient[><=0-9\.]*' requirements.txt)
shell: bash
- name: Write clouds.yaml
run: |
mkdir -p ~/.config/openstack/
echo "${{ secrets[format('{0}_CLOUDS_YAML', env.CI_CLOUD)] }}" > ~/.config/openstack/clouds.yaml
shell: bash
- name: Parse image name json
id: manifest
run: |
IMAGE_NAME=$(jq --arg version "${{ matrix.build }}" -r '.cluster_image[$version]' "${{ env.JSON_PATH }}")
echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
- name: Download image
run: |
. venv/bin/activate
sudo mkdir /mnt/images
sudo chmod 777 /mnt/images
openstack image save --file /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 ${{ steps.manifest.outputs.image-name }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: install libguestfs
run: |
sudo apt -y update
sudo apt -y install libguestfs-tools
- name: mkdir for mount
run: sudo mkdir -p './${{ steps.manifest.outputs.image-name }}'
- name: mount qcow2 file
run: sudo guestmount -a /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}'
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: fs
scan-ref: "${{ steps.manifest.outputs.image-name }}"
scanners: "vuln"
format: sarif
output: "${{ steps.manifest.outputs.image-name }}.sarif"
# turn off secret scanning to speed things up
timeout: 15m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif"
category: "${{ matrix.build }}"
- name: Fail if scan has CRITICAL vulnerabilities
uses: aquasecurity/[email protected]
with:
scan-type: fs
scan-ref: "${{ steps.manifest.outputs.image-name }}"
scanners: "vuln"
format: table
exit-code: '1'
severity: 'CRITICAL'
ignore-unfixed: true
timeout: 15m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2