Skip to content

Trivy CVE Dependency Scanner #1114

Trivy CVE Dependency Scanner

Trivy CVE Dependency Scanner #1114

Workflow file for this run

name: Trivy CVE Dependency Scanner
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
scan-latest-release:
runs-on: ubuntu-latest
steps:
- name: Get Latest Release Docker Image Sha
id: latest-sha
run: |
# Get the latest released docker image sha
curl -sL https://api.github.com/repos/carvel-dev/secretgen-controller/releases/latest | jq -r '.assets[].browser_download_url' | wget -i -
echo ::set-output name=image::$(yq eval '.spec.template.spec.containers[0].image' release.yml -N -j | jq 'select(. != null)' -r)
echo ::set-output name=tag::$(curl -sL https://api.github.com/repos/carvel-dev/secretgen-controller/releases/latest | jq -r '.tag_name')
- name: Install Trivy
run: |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Run Trivy
run: |
trivy image ${{ steps.latest-sha.outputs.image }}
trivy image --format json --output trivy-results-image-latest.json ${{ steps.latest-sha.outputs.image }}
- name: Check for new Vulnerabilities
run: |
set -o pipefail
summary="Trivy scan has found new vulnerabilities in ${{steps.latest-sha.outputs.tag}} check https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
vulnCount=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-image-latest.json)
if [[ $vulnCount -eq 0 ]]; then
summary="Trivy Scan has not found any new Security Issues in ${{steps.latest-sha.outputs.tag}}"
fi
echo "SUMMARY=$summary" >> $GITHUB_ENV
- name: Send Slack Notification
if: success()
uses: slackapi/slack-github-action@v1.15.0
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "${{ env.SUMMARY }}"
- name: Send Failure notification
if: failure()
uses: slackapi/slack-github-action@v1.15.0
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "Trivy scan workflow [${{steps.latest-sha.outputs.tag}}] failed. Please check the latest github action run for trivy scanner."
scan-develop-branch:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go 1.x
uses: actions/setup-go@v3
with:
go-version: 1.23.3
- name: Build the secretgen-controller artifacts
run: |
curl -L https://carvel.dev/install.sh | bash
./hack/build.sh
# docker image
docker buildx build -t docker.io/carvel/secretgen-controller:${{ github.sha }} .
- name: Install Trivy
run: |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
# download the sarif format template
git clone --depth 1 https://github.com/aquasecurity/trivy
- name: Run Trivy Reports
run: |
export TRIVY_IGNORE_UNFIXED=true
export TRIVY_SEVERITY="MEDIUM,HIGH,CRITICAL"
export TRIVY_TEMPLATE="@trivy/contrib/sarif.tpl"
# secretgen-controller binary - output in sarif and json
trivy rootfs --format template --output trivy-results-binary.sarif "controller"
trivy rootfs --format json --output trivy-results-binary.json "controller"
# secretgen-controller docker image - output in sarif and json
trivy image --format template --output trivy-results-image.sarif "docker.io/carvel/secretgen-controller:${{ github.sha }}"
trivy image --format json --output trivy-results-image.json "docker.io/carvel/secretgen-controller:${{ github.sha }}"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: '.'
- name: Check for new Vulnerabilities
run: |
set -o pipefail
summary="Trivy scan has found new vulnerabilities - check https://github.com/carvel-dev/secretgen-controller/security/code-scanning for more"
vulnCountBinary=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-binary.json)
vulnCountImage=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-image.json)
if [[ $vulnCountImage -eq 0 && $vulnCountBinary -eq 0 ]]
then
summary="Trivy Scan has not found any new Security Issues"
fi
echo "SUMMARY=$summary" >> $GITHUB_ENV
- name: Send Slack Notification
if: success()
uses: slackapi/slack-github-action@v1.15.0
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "${{ env.SUMMARY }}"
- name: Send Failure notification
if: failure()
uses: slackapi/slack-github-action@v1.15.0
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "Trivy scan workflow failed. Please check the latest github action run for trivy scanner."