From caaee401a4f372ce5c05526f2a99826fbd4b3e8e Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Thu, 5 Dec 2024 17:23:35 +0100 Subject: [PATCH] Add research-vuln-scan workflow (#23) * Add research-vuln-scan workflow * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Update research-vuln-scan.yml * Run docker-scout only for testing * Enable other jobs again and docker-scout ignores unspecified * Remove low from docker-scout * Set trivy and grype to medium too * Update .github/workflows/research-vuln-scan.yml Co-authored-by: Jaspar Stach * Update .github/workflows/research-vuln-scan.yml Co-authored-by: Jaspar Stach * Update .github/workflows/research-vuln-scan.yml Co-authored-by: Jaspar Stach * Apply suggestions from code review Co-authored-by: Jaspar Stach * Change: Switch to harbor, use image built by push.yml and use self hosted runners * Add: Slash to image * Update research-vuln-scan.yml * Add trivy env variables for private registry and remove recommendations and compare for docker scout * Fix env indent * Remove docker login for trivy --------- Co-authored-by: Jaspar Stach --- .github/workflows/research-vuln-scan.yml | 114 +++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 .github/workflows/research-vuln-scan.yml diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml new file mode 100644 index 0000000..3177d00 --- /dev/null +++ b/.github/workflows/research-vuln-scan.yml @@ -0,0 +1,114 @@ +name: trivy & grype & sarif & docker scout vulnerability scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + +permissions: + contents: read + +jobs: + trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Trivy + runs-on: self-hosted-generic + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'MEDIUM,HIGH,CRITICAL' + github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + env: + TRIVY_USERNAME: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + TRIVY_PASSWORD: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + with: + sarif_file: 'trivy-results.sarif' + category: ${{ github.jobs[github.job].name }} + + grype: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Grype + runs-on: self-hosted-generic + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Login to Greenbone Product container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 + with: + registry: ${{ vars.GREENBONE_REGISTRY }} + username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} + + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: grype + with: + image: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16' + fail-build: false + severity-cutoff: medium + + - name: Upload grype vulnerability report + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + with: + sarif_file: ${{ steps.grype.outputs.sarif }} + category: ${{ github.jobs[github.job].name }} + + docker-scout: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + pull-requests: write + name: "Docker Scout" + runs-on: self-hosted-generic + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Login to Greenbone Product container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 + with: + registry: ${{ vars.GREENBONE_REGISTRY }} + username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} + + - name: Analyze for critical and high CVEs + id: docker-scout-cves + if: ${{ github.event_name != 'pull_request_target' }} + uses: docker/scout-action@v1 + with: + command: cves + image: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16' + sarif-file: sarif.output.json + summary: true + dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }} + only-severities: critical, high, medium + + - name: Upload docker scout SARIF result + id: upload-sarif + if: ${{ github.event_name != 'pull_request_target' }} + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + with: + sarif_file: sarif.output.json + category: ${{ github.jobs[github.job].name }}