diff --git a/.github/workflows/component-scan.yml b/.github/workflows/component-scan.yml index 6f317e72..b3793dd1 100644 --- a/.github/workflows/component-scan.yml +++ b/.github/workflows/component-scan.yml @@ -27,40 +27,44 @@ jobs: uses: aquasecurity/trivy-action@0.28.0 with: image-ref: image:latest - format: 'json' vuln-type: 'os,library' - output: 'trivy-results.json' env: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + TRIVY_FORMAT: json + TRIVY_OUTPUT: 'trivy-results.json' - name: Save vulnerabilities report in tabular format if: always() uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: trivy-results.json + scan-ref: trivy-results.json scan-type: convert - vuln-type: '' - format: 'table' - output: 'trivy-results.txt' + env: + TRIVY_FORMAT: table + TRIVY_OUTPUT: 'trivy-results.txt' - name: Display vulnerabilities report if: always() uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: trivy-results.json + scan-ref: trivy-results.json scan-type: convert - vuln-type: '' + env: + TRIVY_FORMAT: table + TRIVY_OUTPUT: '' - name: Fail on high and critical vulnerabilities if: always() uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: trivy-results.json + scan-ref: trivy-results.json scan-type: convert exit-code: '1' - vuln-type: '' severity: 'HIGH,CRITICAL' + env: + TRIVY_FORMAT: table + TRIVY_OUTPUT: '' - name: Publish scan report if: always() @@ -212,35 +216,23 @@ jobs: - name: Send Notification to Slack if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/') }} - uses: slackapi/slack-github-action@v1.27.0 + uses: slackapi/slack-github-action@v2.0.0 with: - channel-id: ${{ secrets.SLACK_CHANNEL_ID }} + method: chat.postMessage + token: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }} payload: | - { - "text": "Trivy Vulnerability Report", - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_" - } - }, - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*" - } - }, - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "${{ env.CODE_OWNERS }}, please review the following reports: , " - } - } - ] - } - env: - SLACK_BOT_TOKEN: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }} + channel: ${{ secrets.SLACK_CHANNEL_ID }} + text: "Trivy Vulnerability Report" + blocks: + - type: "section" + text: + type: "mrkdwn" + text: "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_" + - type: "section" + text: + type: "mrkdwn" + text: "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*" + - type: "section" + text: + type: "mrkdwn" + text: "${{ env.CODE_OWNERS }}, please review the following reports: , " diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 52e2db4e..5393a98a 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3221f96f52fca0020fa6f404b0370d132403be6b3736d8dd92275ccd72129c1f AS builder +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b3dd9cf08283b959c6a0a3c833e68b2882a50129930215060154b43ae6a3e81c AS builder RUN apk add openjdk-17 bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" @@ -6,7 +6,7 @@ WORKDIR /app COPY build/libs/local-rest-scorer-boot.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3221f96f52fca0020fa6f404b0370d132403be6b3736d8dd92275ccd72129c1f +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b3dd9cf08283b959c6a0a3c833e68b2882a50129930215060154b43ae6a3e81c RUN apk add openjdk-17-jre bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH"