Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: use the latest version of Trivy for security scans #908

Merged
merged 4 commits into from
Sep 30, 2024
Merged

ci: use the latest version of Trivy for security scans #908

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a0a5ba5
ci: use the latest version of Trivy for security scans
sjinks Sep 30, 2024
b0447b4
fix: pass `ACTIONS_RUNTIME_TOKEN` to Trivy
sjinks Sep 30, 2024
334cf9b
ci: cache Trivy database
sjinks Sep 30, 2024
ed9c6a2
fix: cache directory permissions
sjinks Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 26 additions & 7 deletions .github/actions/build-docker-image/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ inputs:
description: The password to use for the registry
required: false
default: ${{ github.token }}
auth_token:
description: The token to authenticate with GitHub
required: false
default: ${{ github.token }}
runs:
using: composite
steps:
Expand All @@ -60,7 +64,6 @@ runs:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ inputs.password }}
if: ${{ inputs.push }}

- name: Build and push container image
uses: docker/build-push-action@v6
Expand Down Expand Up @@ -127,18 +130,34 @@ runs:
run: |
echo "filename=trivy-$(basename "${{ inputs.primaryTag }}" | tr '\\/:' '-').sarif" >> "${GITHUB_OUTPUT}"

- name: Security Scan
uses: docker://aquasec/trivy:0.48.3
- name: Create cache directory
shell: bash
run: mkdir -p .cache/trivy/db

- name: Cache Trivy database
uses: actions/[email protected]
with:
args: image --format json --ignore-unfixed --vuln-type os ${{ inputs.primaryTag }} --output trivy.json
path: .cache/trivy/db
key: ${{ runner.os }}-trivy

- name: Security Scan
shell: bash
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd)/.cache:/root/.cache \
-v $(pwd):/workdir \
-w /workdir \
aquasec/trivy:0.55.2 image --format json --ignore-unfixed --pkg-types os ${{ inputs.primaryTag }} --output trivy.json
sudo chmod a+r -R .cache

- name: Print report
uses: docker://aquasec/trivy:0.48.3
uses: docker://aquasec/trivy:0.55.2
with:
args: convert --format=table trivy.json

- name: Generate SARIF
uses: docker://aquasec/trivy:0.48.3
uses: docker://aquasec/trivy:0.55.2
with:
args: convert --format=sarif --output=${{ steps.filename.outputs.filename }} trivy.json
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
Expand All @@ -151,7 +170,7 @@ runs:
continue-on-error: true

- name: Prepare markdown report
uses: docker://aquasec/trivy:0.48.3
uses: docker://aquasec/trivy:0.55.2
with:
args: convert --format=template [email protected]/actions/build-docker-image/markdown.tpl --output=trivy.md trivy.json
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
Expand Down
Loading