-
Notifications
You must be signed in to change notification settings - Fork 82
82 lines (74 loc) · 2.7 KB
/
vulnerability_scan_subworkflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
name: Vulnerability Scan
on:
workflow_call:
inputs:
ref:
required: true
type: string
secrets:
SNYK_TOKEN:
required: true
workflow_dispatch:
inputs:
ref:
required: true
type: string
jobs:
scan:
runs-on: ubuntu-latest
strategy:
matrix:
image:
- label: oss
distribution_zip_name: hazelcast-distribution.zip
- label: enterprise
distribution_zip_name: hazelcast-enterprise-distribution.zip
env:
DIRECTORY: hazelcast-${{ matrix.image.label }}
IMAGE_TAG: hazelcast/${{ matrix.image.label }}:${{ github.sha }}
steps:
- name: Checkout Code at ${{ inputs.ref }} branch
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Generate ${{ matrix.image.label }} dist ZIP
run: |
# Make a dummy empty ZIP file to avoid scanning Java dependencies, as managed downstream
# DI-50 - Remove java artifacts scanning from hazelcast-docker
working_directory=hazelcast-distribution
mkdir -p ${working_directory}/lib
mkdir -p ${working_directory}/bin
touch ${working_directory}/bin/empty
zip -r ${{ env.DIRECTORY }}/${{ matrix.image.distribution_zip_name }} ${working_directory}
- name: Build ${{ matrix.image.label }} image
run: |
docker build -t ${{ env.IMAGE_TAG }} ${{ env.DIRECTORY }}
- name: Scan ${{ matrix.image.label }} image by Trivy
if: always()
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGE_TAG }}
trivy-config: .github/containerscan/trivy.yaml
env:
# https://github.com/aquasecurity/trivy/issues/2432
DOCKLE_HOST: "unix:///var/run/docker.sock"
- name: Scan ${{ matrix.image.label }} image by Dockle
if: always()
# Use our fork until https://github.com/goodwithtech/dockle-action/issues/7 is fixed
# uses: goodwithtech/dockle-action@main
uses: hazelcast/dockle-action/@Upgrade-Dockle-to-`0.4.14`
with:
image: ${{ env.IMAGE_TAG }}
format: 'list'
exit-code: '1'
exit-level: 'warn'
# too many false positives, we don't use credentials in Dockerfile
ignore: 'CIS-DI-0010'
- name: Scan ${{ matrix.image.label }} image by Snyk
if: always()
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.IMAGE_TAG }}
args: --file=${{ env.DIRECTORY }}/Dockerfile --policy-path=.github/containerscan --severity-threshold=high --exclude-base-image-vulns