Skip to content

Commit

Permalink
feat: input to skip Trivy scan (#156)
Browse files Browse the repository at this point in the history 
* feat: skip trivy scan

* feat(SEC-1211): update semgrep version

* Add a new entry for the Semgrep action under the docker ecosystem

Specify the directory as /security-actions/semgrep to ensure that Dependabot monitors changes to the Semgrep Docker image

The commit-message section uses the prefix semgrep and includes the scope to make it clear in the PR message

Dependabot version updates does not support docker:// hence remove the use of this URI

Ref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#github-actions

* syntax fix

* syntax fix

* syntax fix

* syntax fix

* test

* test

* removed the semgrep package-ecosystem

---------

Co-authored-by: saisatishkarra <saisatish.karra@konghq.com>

* feat: update trivy image

* feat: update trivy image

* feat: update --compliance flag value

* feat: use image directly from dockerhub

* feat: use image directly from dockerhub

* skip cis db access and run in offline mode

---------

Co-authored-by: saisatishkarra <saisatish.karra@konghq.com>
  • Loading branch information
@pankajmouriyakong @saisatishkarra
pankajmouriyakong and saisatishkarra committed Sep 19, 2024
1 parent 6d6e601 commit ecbcd70
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 7 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/docker-image-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ jobs:
with:
asset_prefix: kong-gateway-dev-linux-amd64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
skip_cis_scan: true

- name: Scan ARM64 Image digest
if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
Expand All @@ -72,6 +73,7 @@ jobs:
asset_prefix: test.kong-gateway-dev-linux-arm64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
upload-sbom-release-assets: true
skip_cis_scan: true

test-download-sbom:
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
Expand Down
22 changes: 15 additions & 7 deletions security-actions/scan-docker-image/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,14 @@ inputs:
options:
- 'true'
- 'false'
skip_cis_scan:
required: false
default: false
description: 'Toggle to skip Trivy scan'
type: choice
options:
- 'true'
- 'false'

outputs:
cis-json-report:
Expand Down Expand Up @@ -295,18 +303,18 @@ runs:
files: "${{ steps.meta.outputs.scan_image }}"

- name: Generate docker-cis JSON report
uses: docker://ghcr.io/aquasecurity/trivy:0.37.2
if: ${{ steps.meta.outputs.scan_image != '' }}
uses: docker://aquasec/trivy:0.55.2
if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }}
id: cis_json
with:
entrypoint: trivy
args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }}"
env:
compliance: docker-cis
compliance: docker-cis-1.6.0
input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }}

- name: upload docker-cis JSON report
if: ${{ steps.meta.outputs.scan_image != '' }}
if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }}
uses: actions/upload-artifact@v4
with:
name: ${{ steps.meta.outputs.cis_json_file }}
Expand All @@ -315,12 +323,12 @@ runs:
if-no-files-found: warn

- name: Inspect docker-cis report
if: ${{ steps.meta.outputs.scan_image != '' }}
uses: docker://ghcr.io/aquasecurity/trivy:0.37.2
if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }}
uses: docker://aquasec/trivy:0.55.2
with:
entrypoint: trivy
args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --ignore-unfixed --exit-code ${{ env.exit-code }}"
env:
exit-code: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }}
compliance: docker-cis
compliance: docker-cis-1.6.0
input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }}

0 comments on commit ecbcd70

Please sign in to comment.