Add container security scanning (#7216)

Container security scanning workflow added. This runs on schedule everyday. Also possible to run on-demand for a given image tag Signed-off-by: Chaminda Divitotawela <cdivitotawela@gmail.com> Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com> Co-authored-by: Justin Florentine <justin+github@florentine.us>
hyperledger · Jun 13, 2024 · 884834f · 884834f
1 parent 1ee35a3
commit 884834f
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/.github/workflows/container-security-scan.yml b/.github/workflows/container-security-scan.yml
@@ -0,0 +1,44 @@
+name: container security scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Container image tag'
+        required: false
+        default: 'develop'      
+  schedule:
+    # Start of the hour is the busy time. Scheule it to run 8:17am UTC
+    - cron:  '17 8 * * *'
+
+jobs:
+  scan-sarif:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # Shell parameter expansion does not support directly on a step
+      # Adding a separate step to set the image tag. This allows running
+      # this workflow with a schedule as well as manual
+      - name: Set image tag
+        id: tag
+        run: |
+          echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT"
+        env:
+          INPUT_TAG: ${{ inputs.tag }} 
+
+      - name: Vulnerability scanner
+        id: trivy
+        uses: aquasecurity/trivy-action@0.22.0
+        with:
+          image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }}
+          format: sarif
+          output: 'trivy-results.sarif'
+
+      # Check the vulnerabilities via GitHub security tab
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'