From 57cd9fd480f6e645ba8ef401c58a0b7906a7a9a8 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Tue, 26 Sep 2023 12:04:38 -0600 Subject: [PATCH 01/23] Rename action --- .github/workflows/trivy.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 04658d928..3fa4bdf5d 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -3,15 +3,15 @@ # separate terms of service, privacy policy, and support # documentation. -name: build +name: trivy on: push: - branches: [ "main", master ] + branches: + - main pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] schedule: + # every Monday at 7:31pm - cron: '31 19 * * 1' permissions: From 5c12a79ba3f530ab3698bb49ac32b22e762b1297 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Tue, 26 Sep 2023 13:28:28 -0600 Subject: [PATCH 02/23] Run action on this branch to test. Update checkout. --- .github/workflows/trivy.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 3fa4bdf5d..3ebecea88 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -9,6 +9,7 @@ on: push: branches: - main + - trivy-github-action pull_request: schedule: # every Monday at 7:31pm @@ -29,7 +30,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build Cloudfuse run: | From da756166b9045fab9104b09ee55b319fd583d108 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Tue, 26 Sep 2023 16:59:48 -0600 Subject: [PATCH 03/23] Exclude low severity issues. --- .github/workflows/trivy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 3ebecea88..db909c525 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -46,7 +46,7 @@ jobs: ignore-unfixed: true format: 'sarif' output: 'trivy-results-binary.sarif' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' + severity: 'CRITICAL,HIGH,MEDIUM' - name: List Issues run: | From 2f2ee416b33cf0f25a103b1889bcd2c520283d02 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Tue, 26 Sep 2023 17:07:18 -0600 Subject: [PATCH 04/23] Don't build for a fs scan. --- .github/workflows/trivy.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index db909c525..57e187cf1 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -32,11 +32,9 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Build Cloudfuse + - name: Download Cloudfuse dependencies run: | - sudo apt-get install fuse3 libfuse3-dev -y - go build -o cloudfuse - ls -l + go get - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master From c706cf8cc2707d55a1caef12902d51942b96f79b Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Tue, 26 Sep 2023 17:10:59 -0600 Subject: [PATCH 05/23] Fix cloudfuse not found error. --- .github/workflows/trivy.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 57e187cf1..cdde4b47c 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -35,12 +35,13 @@ jobs: - name: Download Cloudfuse dependencies run: | go get + ls -l - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: fs - scan-ref: './cloudfuse' + scan-ref: '.' ignore-unfixed: true format: 'sarif' output: 'trivy-results-binary.sarif' From af271ad65e41358c94be07c4dcc137ac1ed1cbe3 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Tue, 26 Sep 2023 17:16:52 -0600 Subject: [PATCH 06/23] Remove codeql step. --- .github/workflows/trivy.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index cdde4b47c..9ac108878 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -35,7 +35,6 @@ jobs: - name: Download Cloudfuse dependencies run: | go get - ls -l - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master @@ -47,11 +46,13 @@ jobs: output: 'trivy-results-binary.sarif' severity: 'CRITICAL,HIGH,MEDIUM' + #TODO: use exit-code, or similar above, but still print the report on failure (how?) - name: List Issues run: | cat trivy-results-binary.sarif - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results-binary.sarif' + #TODO: uncomment when codeql is available + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-results-binary.sarif' From ae45aa3563572cff7e2564730556c4cc4c07ebcb Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 11:58:46 -0600 Subject: [PATCH 07/23] Use exit code to signal failure. Print issues only when issues are found. --- .github/workflows/trivy.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 9ac108878..a589b4056 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -45,11 +45,15 @@ jobs: format: 'sarif' output: 'trivy-results-binary.sarif' severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '1' + continue-on-error: true #TODO: use exit-code, or similar above, but still print the report on failure (how?) - name: List Issues + if: ${{ failure() }} run: | cat trivy-results-binary.sarif + exit 1 #TODO: uncomment when codeql is available # - name: Upload Trivy scan results to GitHub Security tab From b0476e9af5630b81c1c734bf7ff8e27c2c5c5dfd Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 12:01:07 -0600 Subject: [PATCH 08/23] No need to download dependencies. --- .github/workflows/trivy.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index a589b4056..606c656c6 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -32,10 +32,6 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Download Cloudfuse dependencies - run: | - go get - - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: From 4d5d1f3acbaae387420f567656194f42a7e03137 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 14:03:55 -0600 Subject: [PATCH 09/23] Add fake vulnerability to test failure --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index 3c424b95c..1671e391d 100755 --- a/go.mod +++ b/go.mod @@ -102,6 +102,7 @@ require ( github.com/yusufpapurcu/wmi v1.2.2 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.12.0 // indirect + github.com/miekg/dns v1.0.3 golang.org/x/net v0.14.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sync v0.3.0 // indirect From 24d47744dbc8dc066a773f6fa5300620d83e2343 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 14:05:05 -0600 Subject: [PATCH 10/23] Don't mask errors --- .github/workflows/trivy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 606c656c6..895b4b1d8 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -42,7 +42,6 @@ jobs: output: 'trivy-results-binary.sarif' severity: 'CRITICAL,HIGH,MEDIUM' exit-code: '1' - continue-on-error: true #TODO: use exit-code, or similar above, but still print the report on failure (how?) - name: List Issues From f4d1921ccae91b43c99e6f74889832e0cf86b33f Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 16:06:27 -0600 Subject: [PATCH 11/23] Verify folder --- .github/workflows/trivy.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 895b4b1d8..8830f0289 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -31,6 +31,10 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + + - name: Check directory + run : | + ls -l - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master From df0c8d93fb7e657cf8069fe510283e1169f3f5e9 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 16:12:18 -0600 Subject: [PATCH 12/23] Try to get more ouput from Trivy --- .github/workflows/trivy.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 8830f0289..69b9189d0 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -41,11 +41,13 @@ jobs: with: scan-type: fs scan-ref: '.' - ignore-unfixed: true + # ignore-unfixed: true format: 'sarif' output: 'trivy-results-binary.sarif' - severity: 'CRITICAL,HIGH,MEDIUM' + # severity: 'CRITICAL,HIGH,MEDIUM' exit-code: '1' + list-all-pkgs: true + scanners: 'vuln,secret,config' #TODO: use exit-code, or similar above, but still print the report on failure (how?) - name: List Issues From f74e7cf2c98a9079d937aca8cdb6fb2bb0873e28 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 16:13:35 -0600 Subject: [PATCH 13/23] Print report and force failure --- .github/workflows/trivy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 69b9189d0..9414fccf5 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -51,7 +51,7 @@ jobs: #TODO: use exit-code, or similar above, but still print the report on failure (how?) - name: List Issues - if: ${{ failure() }} + # if: ${{ failure() }} run: | cat trivy-results-binary.sarif exit 1 From bde2de6496525cec14dda21d71e0200dc83bc08c Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 16:15:43 -0600 Subject: [PATCH 14/23] remove extra options --- .github/workflows/trivy.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 9414fccf5..52c6698a9 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -41,13 +41,11 @@ jobs: with: scan-type: fs scan-ref: '.' - # ignore-unfixed: true + ignore-unfixed: true format: 'sarif' output: 'trivy-results-binary.sarif' - # severity: 'CRITICAL,HIGH,MEDIUM' + severity: 'CRITICAL,HIGH,MEDIUM' exit-code: '1' - list-all-pkgs: true - scanners: 'vuln,secret,config' #TODO: use exit-code, or similar above, but still print the report on failure (how?) - name: List Issues From 83833c6c9201fda738c89592641bc29cd49cd0c4 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 16:18:21 -0600 Subject: [PATCH 15/23] Use table output --- .github/workflows/trivy.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 52c6698a9..b632305d6 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -42,18 +42,10 @@ jobs: scan-type: fs scan-ref: '.' ignore-unfixed: true - format: 'sarif' - output: 'trivy-results-binary.sarif' + format: 'table' severity: 'CRITICAL,HIGH,MEDIUM' exit-code: '1' - #TODO: use exit-code, or similar above, but still print the report on failure (how?) - - name: List Issues - # if: ${{ failure() }} - run: | - cat trivy-results-binary.sarif - exit 1 - #TODO: uncomment when codeql is available # - name: Upload Trivy scan results to GitHub Security tab # uses: github/codeql-action/upload-sarif@v2 From 3eb3b3954961b2b20188f65053ce4cf7057e13ef Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 16:22:36 -0600 Subject: [PATCH 16/23] Remove fake vulnerability. --- go.mod | 1 - 1 file changed, 1 deletion(-) diff --git a/go.mod b/go.mod index 1671e391d..3c424b95c 100755 --- a/go.mod +++ b/go.mod @@ -102,7 +102,6 @@ require ( github.com/yusufpapurcu/wmi v1.2.2 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.12.0 // indirect - github.com/miekg/dns v1.0.3 golang.org/x/net v0.14.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sync v0.3.0 // indirect From 6a87c22371658cffa6601bb4edfeafd30e3e88b4 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 16:25:47 -0600 Subject: [PATCH 17/23] Remove extra step --- .github/workflows/trivy.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index b632305d6..3092bccc7 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -31,10 +31,6 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - - - name: Check directory - run : | - ls -l - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master @@ -46,7 +42,7 @@ jobs: severity: 'CRITICAL,HIGH,MEDIUM' exit-code: '1' - #TODO: uncomment when codeql is available + #TODO: maybe use this when codeql is available (after publishing) # - name: Upload Trivy scan results to GitHub Security tab # uses: github/codeql-action/upload-sarif@v2 # with: From cb406727a259bc6c506cdab9e5a4a662d1df4a4f Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Wed, 27 Sep 2023 16:29:22 -0600 Subject: [PATCH 18/23] Remove branch debug scanning. --- .github/workflows/trivy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 3092bccc7..35bdc07d8 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -9,7 +9,6 @@ on: push: branches: - main - - trivy-github-action pull_request: schedule: # every Monday at 7:31pm From 72702e783477892841f9a84dbf019cd9deec7d9d Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Thu, 28 Sep 2023 10:24:44 -0600 Subject: [PATCH 19/23] Run Trivy manually (without trivy-action). --- .github/workflows/trivy.yaml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 35bdc07d8..88709bc61 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -31,15 +31,18 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: fs - scan-ref: '.' - ignore-unfixed: true - format: 'table' - severity: 'CRITICAL,HIGH,MEDIUM' - exit-code: '1' + - name: Install Trivy + run: | + sudo apt-get install wget apt-transport-https gnupg lsb-release -y + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - + echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy -y + + - name: Run vulnerability scanner + run: | + trivy fs ./ --scanners license --exit-code 1 --severity HIGH,CRITICAL + trivy fs ./ --exit-code 1 --severity MEDIUM,HIGH,CRITICAL --dependency-tree #TODO: maybe use this when codeql is available (after publishing) # - name: Upload Trivy scan results to GitHub Security tab From 2ab70724f2dd32404eb43b4ee9100d750d338e04 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Thu, 28 Sep 2023 10:25:52 -0600 Subject: [PATCH 20/23] Re-enable run on dev branch. --- .github/workflows/trivy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 88709bc61..552ec94b4 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -9,6 +9,7 @@ on: push: branches: - main + - trivy-github-action pull_request: schedule: # every Monday at 7:31pm From f6aae641684cf0102a629515df495ca3c8c846de Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Thu, 28 Sep 2023 10:33:58 -0600 Subject: [PATCH 21/23] Add fake vulnerability for testing. --- .github/workflows/trivy.yaml | 1 - go.mod | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 552ec94b4..88709bc61 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -9,7 +9,6 @@ on: push: branches: - main - - trivy-github-action pull_request: schedule: # every Monday at 7:31pm diff --git a/go.mod b/go.mod index 3c424b95c..76fc5a7e8 100755 --- a/go.mod +++ b/go.mod @@ -100,6 +100,7 @@ require ( github.com/wastore/keychain v0.0.0-20180920053336-f2c902a3d807 // indirect github.com/wastore/keyctl v0.3.1 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect + github.com/miekg/dns v1.0.3 go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.12.0 // indirect golang.org/x/net v0.14.0 // indirect From c205d1604b5592cbf2c27319be819e2295c4f9b4 Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Thu, 28 Sep 2023 10:35:59 -0600 Subject: [PATCH 22/23] Remove fake vulnerability. --- go.mod | 1 - 1 file changed, 1 deletion(-) diff --git a/go.mod b/go.mod index 76fc5a7e8..3c424b95c 100755 --- a/go.mod +++ b/go.mod @@ -100,7 +100,6 @@ require ( github.com/wastore/keychain v0.0.0-20180920053336-f2c902a3d807 // indirect github.com/wastore/keyctl v0.3.1 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect - github.com/miekg/dns v1.0.3 go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.12.0 // indirect golang.org/x/net v0.14.0 // indirect From 4641007ba2228264f49366762e1083a2e799422d Mon Sep 17 00:00:00 2001 From: Michael Habinsky Date: Fri, 29 Sep 2023 16:00:42 -0600 Subject: [PATCH 23/23] Remove Azure Trivy scan pipeline --- RunTrivyScans.sh | 5 ----- TrivySetup.sh | 7 ------- cloudfuse-vunerability-scanning.yaml | 31 ---------------------------- 3 files changed, 43 deletions(-) delete mode 100755 RunTrivyScans.sh delete mode 100755 TrivySetup.sh delete mode 100644 cloudfuse-vunerability-scanning.yaml diff --git a/RunTrivyScans.sh b/RunTrivyScans.sh deleted file mode 100755 index b8c12e587..000000000 --- a/RunTrivyScans.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -trivy fs ./ --scanners license --exit-code 1 --severity HIGH,CRITICAL - -trivy fs ./ --exit-code 1 --severity MEDIUM,HIGH,CRITICAL --dependency-tree \ No newline at end of file diff --git a/TrivySetup.sh b/TrivySetup.sh deleted file mode 100755 index 79d715826..000000000 --- a/TrivySetup.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -sudo apt-get install wget apt-transport-https gnupg lsb-release -y -wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - -echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list -sudo apt-get update -sudo apt-get install trivy -y \ No newline at end of file diff --git a/cloudfuse-vunerability-scanning.yaml b/cloudfuse-vunerability-scanning.yaml deleted file mode 100644 index 3b4f6fa3d..000000000 --- a/cloudfuse-vunerability-scanning.yaml +++ /dev/null @@ -1,31 +0,0 @@ -pr: -- main - -pool: - vmImage: ubuntu-20.04 - - -steps: - - - checkout: self - - - task: GoTool@0 - inputs: - version: '1.19.9' - displayName: "Select Go Version" - - - task: Go@0 - inputs: - command: 'get' - arguments: '-d ./...' - workingDirectory: './' - displayName: "Get Dependencies" - - - script: | - ./TrivySetup.sh - displayName: 'Install Trivy' - - - script: | - ./RunTrivyScans.sh - displayName: 'Run Trivy scans' -