From 884834f352b6e6b112c481690646f2f4cfe6d347 Mon Sep 17 00:00:00 2001 From: Chaminda Divitotawela Date: Thu, 13 Jun 2024 22:21:00 +1000 Subject: [PATCH] Add container security scanning (#7216) Container security scanning workflow added. This runs on schedule everyday. Also possible to run on-demand for a given image tag Signed-off-by: Chaminda Divitotawela Co-authored-by: Sally MacFarlane Co-authored-by: Justin Florentine --- .github/workflows/container-security-scan.yml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/container-security-scan.yml diff --git a/.github/workflows/container-security-scan.yml b/.github/workflows/container-security-scan.yml new file mode 100644 index 00000000000..e88689a06db --- /dev/null +++ b/.github/workflows/container-security-scan.yml @@ -0,0 +1,44 @@ +name: container security scan + +on: + workflow_dispatch: + inputs: + tag: + description: 'Container image tag' + required: false + default: 'develop' + schedule: + # Start of the hour is the busy time. Scheule it to run 8:17am UTC + - cron: '17 8 * * *' + +jobs: + scan-sarif: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + # Shell parameter expansion does not support directly on a step + # Adding a separate step to set the image tag. This allows running + # this workflow with a schedule as well as manual + - name: Set image tag + id: tag + run: | + echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT" + env: + INPUT_TAG: ${{ inputs.tag }} + + - name: Vulnerability scanner + id: trivy + uses: aquasecurity/trivy-action@0.22.0 + with: + image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }} + format: sarif + output: 'trivy-results.sarif' + + # Check the vulnerabilities via GitHub security tab + - name: Upload results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif'