Trivy CVE Dependency Scanner #1114
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Trivy CVE Dependency Scanner | |
on: | |
schedule: | |
- cron: '0 0 * * *' | |
workflow_dispatch: | |
jobs: | |
scan-latest-release: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get Latest Release Docker Image Sha | |
id: latest-sha | |
run: | | |
# Get the latest released docker image sha | |
curl -sL https://api.github.com/repos/carvel-dev/secretgen-controller/releases/latest | jq -r '.assets[].browser_download_url' | wget -i - | |
echo ::set-output name=image::$(yq eval '.spec.template.spec.containers[0].image' release.yml -N -j | jq 'select(. != null)' -r) | |
echo ::set-output name=tag::$(curl -sL https://api.github.com/repos/carvel-dev/secretgen-controller/releases/latest | jq -r '.tag_name') | |
- name: Install Trivy | |
run: | | |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/ | |
sudo apt-get install wget apt-transport-https gnupg lsb-release | |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
sudo apt-get update | |
sudo apt-get install trivy | |
- name: Run Trivy | |
run: | | |
trivy image ${{ steps.latest-sha.outputs.image }} | |
trivy image --format json --output trivy-results-image-latest.json ${{ steps.latest-sha.outputs.image }} | |
- name: Check for new Vulnerabilities | |
run: | | |
set -o pipefail | |
summary="Trivy scan has found new vulnerabilities in ${{steps.latest-sha.outputs.tag}} check https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" | |
vulnCount=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-image-latest.json) | |
if [[ $vulnCount -eq 0 ]]; then | |
summary="Trivy Scan has not found any new Security Issues in ${{steps.latest-sha.outputs.tag}}" | |
fi | |
echo "SUMMARY=$summary" >> $GITHUB_ENV | |
- name: Send Slack Notification | |
if: success() | |
uses: slackapi/slack-github-action@v1.15.0 | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
with: | |
channel-id: C010XR15VHU | |
slack-message: "${{ env.SUMMARY }}" | |
- name: Send Failure notification | |
if: failure() | |
uses: slackapi/slack-github-action@v1.15.0 | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
with: | |
channel-id: C010XR15VHU | |
slack-message: "Trivy scan workflow [${{steps.latest-sha.outputs.tag}}] failed. Please check the latest github action run for trivy scanner." | |
scan-develop-branch: | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go 1.x | |
uses: actions/setup-go@v3 | |
with: | |
go-version: 1.23.3 | |
- name: Build the secretgen-controller artifacts | |
run: | | |
curl -L https://carvel.dev/install.sh | bash | |
./hack/build.sh | |
# docker image | |
docker buildx build -t docker.io/carvel/secretgen-controller:${{ github.sha }} . | |
- name: Install Trivy | |
run: | | |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/ | |
sudo apt-get install wget apt-transport-https gnupg lsb-release | |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
sudo apt-get update | |
sudo apt-get install trivy | |
# download the sarif format template | |
git clone --depth 1 https://github.com/aquasecurity/trivy | |
- name: Run Trivy Reports | |
run: | | |
export TRIVY_IGNORE_UNFIXED=true | |
export TRIVY_SEVERITY="MEDIUM,HIGH,CRITICAL" | |
export TRIVY_TEMPLATE="@trivy/contrib/sarif.tpl" | |
# secretgen-controller binary - output in sarif and json | |
trivy rootfs --format template --output trivy-results-binary.sarif "controller" | |
trivy rootfs --format json --output trivy-results-binary.json "controller" | |
# secretgen-controller docker image - output in sarif and json | |
trivy image --format template --output trivy-results-image.sarif "docker.io/carvel/secretgen-controller:${{ github.sha }}" | |
trivy image --format json --output trivy-results-image.json "docker.io/carvel/secretgen-controller:${{ github.sha }}" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: '.' | |
- name: Check for new Vulnerabilities | |
run: | | |
set -o pipefail | |
summary="Trivy scan has found new vulnerabilities - check https://github.com/carvel-dev/secretgen-controller/security/code-scanning for more" | |
vulnCountBinary=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-binary.json) | |
vulnCountImage=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-image.json) | |
if [[ $vulnCountImage -eq 0 && $vulnCountBinary -eq 0 ]] | |
then | |
summary="Trivy Scan has not found any new Security Issues" | |
fi | |
echo "SUMMARY=$summary" >> $GITHUB_ENV | |
- name: Send Slack Notification | |
if: success() | |
uses: slackapi/slack-github-action@v1.15.0 | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
with: | |
channel-id: C010XR15VHU | |
slack-message: "${{ env.SUMMARY }}" | |
- name: Send Failure notification | |
if: failure() | |
uses: slackapi/slack-github-action@v1.15.0 | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
with: | |
channel-id: C010XR15VHU | |
slack-message: "Trivy scan workflow failed. Please check the latest github action run for trivy scanner." |