-
Notifications
You must be signed in to change notification settings - Fork 0
46 lines (42 loc) · 1.63 KB
/
scan-image.yaml
File metadata and controls
46 lines (42 loc) · 1.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Scan Image API Gateway
on:
workflow_call:
jobs:
scan-image:
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install -y wget
wget https://github.com/aquasecurity/trivy/releases/download/v0.40.0/trivy_0.40.0_Linux-64bit.deb
sudo dpkg -i trivy_0.40.0_Linux-64bit.deb
- name: Scan Docker image with Trivy
id: scan-image
run: |
trivy image --format json --output scan-results.json datuits/devops-api-gateway:latest
- name: Extract high and critical vulnerabilities
id: extract_vulnerabilities
run: |
jq -r '
def hr(severity):
if severity == "HIGH" or severity == "CRITICAL" then true else false end;
def to_md:
"| " + (.VulnerabilityID // "") + " | " + (.PkgName // "") + " | " + (.InstalledVersion // "") + " | " + (.Severity // "") + " | " + (.Title // "") + " |";
[
"# Docker Image Scan Results",
"",
"## High and Critical Vulnerabilities",
"",
"| Vulnerability ID | Package | Version | Severity | Description |",
"|------------------|---------|---------|----------|-------------|",
(.Results[] | .Vulnerabilities[] | select(hr(.Severity)) | to_md),
""
] | join("\n")
' scan-results.json > vulnerability-report.md
- name: Upload vulnerability report
uses: actions/upload-artifact@v4
with:
name: vulnerability-report
path: vulnerability-report.md