From 735d24921bb17a8086cb15b9d00068b0bcd3d48c Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Fri, 29 Sep 2023 16:03:41 -0600 Subject: [PATCH] Trivy GitHub action (#12) Move Trivy scans from Azure CI pipeline (written by @Dabnsky) to a GitHub Action workflow. --- .github/workflows/trivy.yaml | 48 ++++++++++++---------------- RunTrivyScans.sh | 5 --- TrivySetup.sh | 7 ---- cloudfuse-vunerability-scanning.yaml | 31 ------------------ 4 files changed, 21 insertions(+), 70 deletions(-) delete mode 100755 RunTrivyScans.sh delete mode 100755 TrivySetup.sh delete mode 100644 cloudfuse-vunerability-scanning.yaml diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 04658d928..88709bc61 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -3,15 +3,15 @@ # separate terms of service, privacy policy, and support # documentation. -name: build +name: trivy on: push: - branches: [ "main", master ] + branches: + - main pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] schedule: + # every Monday at 7:31pm - cron: '31 19 * * 1' permissions: @@ -29,29 +29,23 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - - name: Build Cloudfuse - run: | - sudo apt-get install fuse3 libfuse3-dev -y - go build -o cloudfuse - ls -l - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: fs - scan-ref: './cloudfuse' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results-binary.sarif' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - - - name: List Issues + - name: Install Trivy run: | - cat trivy-results-binary.sarif + sudo apt-get install wget apt-transport-https gnupg lsb-release -y + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - + echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy -y - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results-binary.sarif' + - name: Run vulnerability scanner + run: | + trivy fs ./ --scanners license --exit-code 1 --severity HIGH,CRITICAL + trivy fs ./ --exit-code 1 --severity MEDIUM,HIGH,CRITICAL --dependency-tree + + #TODO: maybe use this when codeql is available (after publishing) + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-results-binary.sarif' diff --git a/RunTrivyScans.sh b/RunTrivyScans.sh deleted file mode 100755 index b8c12e587..000000000 --- a/RunTrivyScans.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -trivy fs ./ --scanners license --exit-code 1 --severity HIGH,CRITICAL - -trivy fs ./ --exit-code 1 --severity MEDIUM,HIGH,CRITICAL --dependency-tree \ No newline at end of file diff --git a/TrivySetup.sh b/TrivySetup.sh deleted file mode 100755 index 79d715826..000000000 --- a/TrivySetup.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -sudo apt-get install wget apt-transport-https gnupg lsb-release -y -wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - -echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list -sudo apt-get update -sudo apt-get install trivy -y \ No newline at end of file diff --git a/cloudfuse-vunerability-scanning.yaml b/cloudfuse-vunerability-scanning.yaml deleted file mode 100644 index 3b4f6fa3d..000000000 --- a/cloudfuse-vunerability-scanning.yaml +++ /dev/null @@ -1,31 +0,0 @@ -pr: -- main - -pool: - vmImage: ubuntu-20.04 - - -steps: - - - checkout: self - - - task: GoTool@0 - inputs: - version: '1.19.9' - displayName: "Select Go Version" - - - task: Go@0 - inputs: - command: 'get' - arguments: '-d ./...' - workingDirectory: './' - displayName: "Get Dependencies" - - - script: | - ./TrivySetup.sh - displayName: 'Install Trivy' - - - script: | - ./RunTrivyScans.sh - displayName: 'Run Trivy scans' -