From f8ede249d65ff1a195b0de2a1be8b336a5c09c65 Mon Sep 17 00:00:00 2001 From: shahar-h Date: Sat, 27 Apr 2024 14:11:47 +0300 Subject: [PATCH 1/2] ci: add trivy image vulnerabilities scan workflow (#3287) * ci: add trivy image scan workflow Signed-off-by: Shahar Harari * fix lint errors Signed-off-by: Shahar Harari --------- Signed-off-by: Shahar Harari --- .github/workflows/trivy.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000000..7e20d40b8dd --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,31 @@ +name: trivy + +on: + push: + branches: + - "main" + schedule: + - cron: '55 17 * * 5' + +permissions: + contents: read + +jobs: + image-scan: + permissions: + contents: read # for actions/checkout to fetch code + name: Image Scan + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + + - name: Build an image from Dockerfile + run: | + IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 + with: + image-ref: envoy-proxy/gateway-dev:${{ github.sha }} + exit-code: '1' From 2322ef0a405f5aeb72ec9d5accb9a722d90775c3 Mon Sep 17 00:00:00 2001 From: shahar-h Date: Sun, 28 Apr 2024 14:13:35 +0300 Subject: [PATCH 2/2] ci: add badges for security scans (#3288) * ci: add badges for security scans Signed-off-by: Shahar Harari * change trivy workflow name to upper-case Signed-off-by: Shahar Harari * trivy -> Trivy Signed-off-by: Shahar Harari --------- Signed-off-by: Shahar Harari --- .github/workflows/trivy.yml | 2 +- README.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 7e20d40b8dd..d8e8c9eeebe 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,4 +1,4 @@ -name: trivy +name: Trivy on: push: diff --git a/README.md b/README.md index 8529e20b15f..25fa9af8d94 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,9 @@ [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/envoyproxy/gateway/badge)](https://securityscorecards.dev/viewer/?uri=github.com/envoyproxy/gateway) [![Build and Test](https://github.com/envoyproxy/gateway/actions/workflows/build_and_test.yaml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/build_and_test.yaml) [![codecov](https://codecov.io/gh/envoyproxy/gateway/branch/main/graph/badge.svg)](https://codecov.io/gh/envoyproxy/gateway) +[![CodeQL](https://github.com/envoyproxy/gateway/actions/workflows/codeql.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/codeql.yml) +[![OSV-Scanner](https://github.com/envoyproxy/gateway/actions/workflows/osv-scanner.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/osv-scanner.yml) +[![Trivy](https://github.com/envoyproxy/gateway/actions/workflows/trivy.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/trivy.yml) Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway.