Skip to content

Commit

Permalink
Add research-vuln-scan workflow (#23)
Browse files Browse the repository at this point in the history 
* Add research-vuln-scan workflow

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Update research-vuln-scan.yml

* Run docker-scout only for testing

* Enable other jobs again and docker-scout ignores unspecified

* Remove low from docker-scout

* Set trivy and grype to medium too

* Update .github/workflows/research-vuln-scan.yml

Co-authored-by: Jaspar Stach <[email protected]>

* Update .github/workflows/research-vuln-scan.yml

Co-authored-by: Jaspar Stach <[email protected]>

* Update .github/workflows/research-vuln-scan.yml

Co-authored-by: Jaspar Stach <[email protected]>

* Apply suggestions from code review

Co-authored-by: Jaspar Stach <[email protected]>

* Change: Switch to harbor, use image built by push.yml and use self hosted runners

* Add: Slash to image

* Update research-vuln-scan.yml

* Add trivy env variables for private registry and remove recommendations and compare for docker scout

* Fix env indent

* Remove docker login for trivy

---------

Co-authored-by: Jaspar Stach <[email protected]>
  • Loading branch information
@robert-schardt @y0urself
robert-schardt and y0urself authored Dec 5, 2024
1 parent eb34049 commit caaee40
Showing 1 changed file with 114 additions and 0 deletions.
114 changes: 114 additions & 0 deletions .github/workflows/research-vuln-scan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
name: trivy & grype & sarif & docker scout vulnerability scan

on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]

permissions:
contents: read

jobs:
trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Trivy
runs-on: self-hosted-generic
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
env:
TRIVY_USERNAME: ${{ secrets.GREENBONE_REGISTRY_READ_USER }}
TRIVY_PASSWORD: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }}

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
with:
sarif_file: 'trivy-results.sarif'
category: ${{ github.jobs[github.job].name }}

grype:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Grype
runs-on: self-hosted-generic
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Login to Greenbone Product container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
with:
registry: ${{ vars.GREENBONE_REGISTRY }}
username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }}
password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }}

- name: Run the Anchore Grype scan action
uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
id: grype
with:
image: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16'
fail-build: false
severity-cutoff: medium

- name: Upload grype vulnerability report
uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
with:
sarif_file: ${{ steps.grype.outputs.sarif }}
category: ${{ github.jobs[github.job].name }}

docker-scout:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
pull-requests: write
name: "Docker Scout"
runs-on: self-hosted-generic
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Login to Greenbone Product container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
with:
registry: ${{ vars.GREENBONE_REGISTRY }}
username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }}
password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }}

- name: Analyze for critical and high CVEs
id: docker-scout-cves
if: ${{ github.event_name != 'pull_request_target' }}
uses: docker/scout-action@v1
with:
command: cves
image: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16'
sarif-file: sarif.output.json
summary: true
dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }}
only-severities: critical, high, medium

- name: Upload docker scout SARIF result
id: upload-sarif
if: ${{ github.event_name != 'pull_request_target' }}
uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
with:
sarif_file: sarif.output.json
category: ${{ github.jobs[github.job].name }}

0 comments on commit caaee40

Please sign in to comment.