-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Scan the repository and the snap with trivy (#20)
* Scan the repository and the snap with trivy * Scan PRs and release branches with Trivy * Schedule scaning every night --------- Co-authored-by: eaudetcobello <[email protected]>
- Loading branch information
1 parent
8df1b14
commit 30fbadc
Showing
2 changed files
with
104 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -66,3 +66,52 @@ jobs: | |
| export TEST_SUBSTRATE=lxd | ||
| export TEST_LXD_IMAGE=${{ matrix.os }} | ||
| cd tests/e2e && sg lxd -c 'tox -e e2e' | ||
| - name: Setup tmate session | ||
| uses: mxschmitt/action-tmate@v3 | ||
| with: | ||
| # Print connection details and continue with the job. | ||
| # Waits at the end of the job for the tmate session to exit. | ||
| # If no user connects within 10min the connection exits gracefully. | ||
| detached: true | ||
| # Only the user who started the workflow can access the tmate session. | ||
| limit-access-to-actor: true | ||
| if: ${{ failure() }} | ||
|
|
||
| security-scan: | ||
| name: Security scan | ||
| runs-on: ubuntu-20.04 | ||
| needs: build | ||
| steps: | ||
| - name: Checking out repo | ||
| uses: actions/checkout@v4 | ||
| - name: Fetch snap | ||
| uses: actions/[email protected] | ||
| with: | ||
| name: k8s.snap | ||
| path: build | ||
| - name: Setup Trivy vulnerability scanner | ||
| run: | | ||
| mkdir -p sarifs | ||
| VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); | ||
| wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz | ||
| tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz | ||
| - name: Run Trivy vulnerability scanner in repo mode | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: "fs" | ||
| ignore-unfixed: true | ||
| format: "sarif" | ||
| output: "trivy-k8s-repo-scan--results.sarif" | ||
| severity: "MEDIUM,HIGH,CRITICAL" | ||
| - name: Gather Trivy repo scan results | ||
| run: | | ||
| cp trivy-k8s-repo-scan--results.sarif ./sarifs/ | ||
| - name: Run Trivy vulnerability scanner on the snap | ||
| run: | | ||
| cp build/k8s.snap . | ||
| unsquashfs k8s.snap | ||
| ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif | ||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: "sarifs" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| name: Security scan | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: '0 10 * * *' | ||
|
|
||
| jobs: | ||
| scan: | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| # Latest branches | ||
| - { branch: main, channel: latest/edge } | ||
| # Stable branches | ||
| # Add branches to test here | ||
|
|
||
| steps: | ||
| - name: Checking out repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{matrix.branch}} | ||
| - name: Setup Trivy vulnerability scanner | ||
| run: | | ||
| mkdir -p sarifs | ||
| VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); | ||
| wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz | ||
| tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz | ||
| - name: Run Trivy vulnerability scanner in repo mode | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: "fs" | ||
| ignore-unfixed: true | ||
| format: "sarif" | ||
| output: "trivy-k8s-repo-scan--results.sarif" | ||
| severity: "MEDIUM,HIGH,CRITICAL" | ||
| - name: Gather Trivy repo scan results | ||
| run: | | ||
| cp trivy-k8s-repo-scan--results.sarif ./sarifs/ | ||
| - name: Run Trivy vulnerability scanner on the snap | ||
| run: | | ||
| snap download k8s --channel ${{ matrix.channel }} | ||
| mv ./k8s*.snap ./k8s.snap | ||
| unsquashfs k8s.snap | ||
| ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif | ||
| - name: Get HEAD sha | ||
| run: | | ||
| SHA="$(git rev-parse HEAD)" | ||
| echo "head_sha=$SHA" >> "$GITHUB_ENV" | ||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: "sarifs" | ||
| sha: ${{ env.head_sha }} | ||
| ref: refs/heads/${{matrix.branch}} |