From a0d66d01e07f702918d46d2e53711cdefb4052d6 Mon Sep 17 00:00:00 2001 From: Rixing Xu Date: Thu, 27 Jul 2023 14:06:14 -0700 Subject: [PATCH] separate workflow for scan images --- .github/workflows/ci.yml | 29 ++++--------- .github/workflows/scan-images.yml | 67 +++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/scan-images.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a5a111..60ab000 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,7 +4,6 @@ on: push: branches: - 'dsl2' - - 'orca-249-push-to-ghcr' paths: - 'docker/**' - '.github/workflows/ci.yml' @@ -13,8 +12,6 @@ env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - # Use `latest` as the tag to compare to if empty, assuming that it's already pushed - COMPARE_TAG: latest jobs: docker: @@ -52,23 +49,11 @@ jobs: type=sha latest - #- name: Build and push to GHCR - # uses: docker/build-push-action@v4 - # with: - # context: ./docker - # file: ./docker/Dockerfile - # push: true - # tags: ${{ steps.metadata.outputs.tags }} - # labels: ${{ steps.metadata.outputs.labels }} - - - name: Docker Scout - id: docker-scout - uses: docker/scout-action@v0.18.1 + - name: Build and push to GHCR + uses: docker/build-push-action@v4 with: - command: recommendations, compare - image: ${{ steps.metadata.outputs.tags }} - to-latest: true - ignore-unchanged: true - only-severities: critical,high - dockerhub-user: ${{ github.actor }} - dockerhub-password: ${{ secrets.GITHUB_TOKEN }} + context: ./docker + file: ./docker/Dockerfile + push: true + tags: ${{ steps.metadata.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} diff --git a/.github/workflows/scan-images.yml b/.github/workflows/scan-images.yml new file mode 100644 index 0000000..4c1b233 --- /dev/null +++ b/.github/workflows/scan-images.yml @@ -0,0 +1,67 @@ +name: Scan image + +on: + push: + branches: + - 'dsl2' + - 'orca-249-push-to-ghcr' + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + IMAGE_TAG: latest + # Use `latest` as the tag to compare to if empty, assuming that it's already pushed + COMPARE_TAG: latest + +jobs: + trivy-edge: + name: Run Trivy vulnerability scanner + runs-on: ubuntu-latest + continue-on-error: true + + steps: + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Pull the image + run: | + docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} + + # Deliberately chosen master here to keep up-to-date. + - name: Run Trivy vulnerability scanner for any major issues + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + limit-severities-for-sarif: true + format: template + template: '@/contrib/sarif.tpl' + output: trivy-results-${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}.sarif + + # Show all detected issues. + # Note this will show a lot more, including major un-fixed ones. + - name: Run Trivy vulnerability scanner for local output + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} + format: table + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: trivy-results-${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}.sarif + category: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} image + wait-for-processing: true + + - name: Detain results for debug if needed + uses: actions/upload-artifact@v3 + with: + name: trivy-results-${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}.sarif + path: trivy-results-${{ env.IMAGE_NAME }}-${{ env.IMAGE_TAG }}.sarif + if-no-files-found: error