From 360edaec4f1c516edffa39cda35e8d586388d658 Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Tue, 10 Sep 2024 13:08:03 +1000 Subject: [PATCH 1/4] [291] Added scheduled scans for fixed tags. --- .../vulnerability-scan-schedule-5x.yml | 18 ++++++++++++++++++ .../vulnerability-scan-schedule-6x.yml | 18 ++++++++++++++++++ .github/workflows/vulnerability-scan.yml | 18 ++++++++++-------- 3 files changed, 46 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/vulnerability-scan-schedule-5x.yml create mode 100644 .github/workflows/vulnerability-scan-schedule-6x.yml diff --git a/.github/workflows/vulnerability-scan-schedule-5x.yml b/.github/workflows/vulnerability-scan-schedule-5x.yml new file mode 100644 index 00000000..43d21edd --- /dev/null +++ b/.github/workflows/vulnerability-scan-schedule-5x.yml @@ -0,0 +1,18 @@ +name: vulnerability-scan-schedule-5.x +run-name: Scheduled CVE vulnerability scan of 5.x published images. +env: + REGISTRY: ghcr.io +on: + schedule: + - cron: '0 22 * * 3' + workflow_dispatch: +jobs: + vulnerability-scan-schedule: + runs-on: ubuntu-latest + steps: + - name: Scan for vulnerabilities on 5.x images + id: scan + uses: dpc-sdp/bay/.github/workflows/vulnerability-scan.yml + with: + tag: 5.x + summary: "Trivy CVE scan of 5.x published images." \ No newline at end of file diff --git a/.github/workflows/vulnerability-scan-schedule-6x.yml b/.github/workflows/vulnerability-scan-schedule-6x.yml new file mode 100644 index 00000000..365b858c --- /dev/null +++ b/.github/workflows/vulnerability-scan-schedule-6x.yml @@ -0,0 +1,18 @@ +name: vulnerability-scan-schedule-6.x +run-name: Scheduled CVE vulnerability scan of 6.x published images. +env: + REGISTRY: ghcr.io +on: + schedule: + - cron: '2 22 * * 3' + workflow_dispatch: +jobs: + vulnerability-scan-schedule: + runs-on: ubuntu-latest + steps: + - name: Scan for vulnerabilities on 6.x images + id: scan + uses: dpc-sdp/bay/.github/workflows/vulnerability-scan.yml + with: + tag: 6.x + summary: "Trivy CVE scan of 6.x published images." \ No newline at end of file diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 84209f79..362465be 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -9,20 +9,24 @@ on: description: 'Summary of the scheduled scan.' required: false default: 'Trivy CVE scan of published images.' + tag: + description: 'Tag to scan.' + required: false + default: '6.x' jobs: setup-matrix: runs-on: ubuntu-latest steps: - name: Set summary run: echo "${{ github.event.inputs.summary }}" >> $GITHUB_STEP_SUMMARY - - if: github.ref_name == '5.x' + - if: github.event.inputs.tag == '5.x' uses: druzsan/setup-matrix@v2 with: matrix: | images: ${{ vars.IMAGES }} exclude: - images: mailpit - - if: github.ref_name != '5.x' + - if: github.event.inputs.tag != '5.x' uses: druzsan/setup-matrix@v2 with: matrix: | @@ -31,23 +35,21 @@ jobs: run: echo "matrix=$MATRIX" >> $GITHUB_OUTPUT outputs: matrix: ${{ steps.setup-matrix.outputs.matrix }} - vulnerability-scan-schedule: + vulnerability-scan: runs-on: ubuntu-latest needs: setup-matrix strategy: matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.inputs.ref }} - name: Scan for vulnerabilities id: scan uses: crazy-max/ghaction-container-scan@v3 with: - image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ github.ref_name }} + image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ github.event.inputs.tag }} dockerfile: ./images/${{ matrix.images }} - name: Upload SARIF file if: ${{ steps.scan.outputs.sarif != '' }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} + ref: ${{ github.event.inputs.tag }} From 4233f7ff8e894f381ceb3d60496b9806535ca07c Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Tue, 10 Sep 2024 14:33:03 +1000 Subject: [PATCH 2/4] [291] Added checkout to reference sha and commit. --- .github/workflows/vulnerability-scan.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 362465be..54f440f1 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -41,6 +41,11 @@ jobs: strategy: matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} steps: + - name: checkout + id: checkout + uses: actions/checkout@main + with: + ref: ${{ github.event.inputs.tag }} - name: Scan for vulnerabilities id: scan uses: crazy-max/ghaction-container-scan@v3 @@ -52,4 +57,5 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} - ref: ${{ github.event.inputs.tag }} + ref: ${{ steps.checkout.outputs.ref }} + sha: ${{ steps.checkout.outputs.commit }} From 9c8e636ac7ba78e9a01b1c0cf70c41ba6825e001 Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Tue, 10 Sep 2024 14:46:20 +1000 Subject: [PATCH 3/4] [291] Fixed variable assignment. --- .github/workflows/vulnerability-scan.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 54f440f1..01686e81 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -35,17 +35,23 @@ jobs: run: echo "matrix=$MATRIX" >> $GITHUB_OUTPUT outputs: matrix: ${{ steps.setup-matrix.outputs.matrix }} - vulnerability-scan: + set-sha-ref: runs-on: ubuntu-latest - needs: setup-matrix - strategy: - matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} steps: - name: checkout id: checkout uses: actions/checkout@main with: ref: ${{ github.event.inputs.tag }} + outputs: + ref: ${{ steps.checkout.outputs.ref }} + commit: ${{ steps.checkout.outputs.commit }} + vulnerability-scan: + runs-on: ubuntu-latest + needs: [setup-matrix, set-sha-ref] + strategy: + matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} + steps: - name: Scan for vulnerabilities id: scan uses: crazy-max/ghaction-container-scan@v3 @@ -57,5 +63,5 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} - ref: ${{ steps.checkout.outputs.ref }} - sha: ${{ steps.checkout.outputs.commit }} + ref: ${{ needs.set-sha-ref.outputs.ref }} + sha: ${{ needs.set-sha-ref.outputs.commit }} From 342e93b7270538812ebac42c407215f8e8802614 Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Tue, 10 Sep 2024 15:07:15 +1000 Subject: [PATCH 4/4] [291] Fixed ref assignment. --- .github/workflows/vulnerability-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 01686e81..22af5b54 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -63,5 +63,5 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} - ref: ${{ needs.set-sha-ref.outputs.ref }} + ref: refs/heads/${{ needs.set-sha-ref.outputs.ref }} sha: ${{ needs.set-sha-ref.outputs.commit }}