-
-
Notifications
You must be signed in to change notification settings - Fork 0
191 lines (191 loc) · 6.88 KB
/
Copy pathdocker-image-scan.yml
File metadata and controls
191 lines (191 loc) · 6.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
---
name: Security scan for Docker images
on:
workflow_call:
inputs:
image-refs-json:
required: true
type: string
description: JSON array of image references to scan
image-artifact-name:
required: false
type: string
description: Image tarball artifact name to download
default: null
registry:
required: false
type: string
description: Image registry to login (e.g., ghcr.io, docker.io)
default: null
registry-user:
required: false
type: string
description: Registry username
default: ${{ github.repository_owner }}
trivy-scanners:
required: false
type: string
description: List of scanners to use
default: vuln,secret,misconfig
trivy-severity:
required: false
type: string
description: Severity levels to fail the scan
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-ignore-unfixed:
required: false
type: boolean
description: Ignore unpatched/unfixed vulnerabilities
default: true
trivy-exit-code:
required: false
type: number
description: Exit code for pre-build scan
default: 1
trivy-config:
required: false
type: string
description: Path to a Trivy config file
default: null
trivy-timeout:
required: false
type: string
description: Timeout for the Trivy scan
default: 5m0s
trivy-report-artifact-name:
required: false
type: string
description: Unique base name for Trivy report artifacts; omit to skip report uploads
default: null
runs-on:
required: false
type: string
description: GitHub Actions runner to use
default: ubuntu-latest
secrets:
DOCKER_TOKEN:
required: false
description: Registry token
GH_TOKEN:
required: false
description: GitHub token
permissions:
contents: write
defaults:
run:
shell: bash -euo pipefail {0}
working-directory: .
jobs:
scan:
runs-on: ${{ inputs.runs-on }}
strategy:
fail-fast: false
matrix:
image-ref: ${{ fromJSON(inputs.image-refs-json) }}
steps:
- name: Download the image tarball artifact
if: inputs.image-artifact-name != null
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ inputs.image-artifact-name }}
path: /tmp/
- name: Load the image tarball
if: inputs.image-artifact-name != null
env:
IMAGE_TAR: /tmp/${{ inputs.image-artifact-name }}.tar
run: >
docker load -i "${IMAGE_TAR}"
- name: Checkout repository
if: inputs.trivy-config != null
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 1
persist-credentials: false
- name: Login to the image registry
if: inputs.registry != null
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.registry-user }}
password: ${{ secrets.DOCKER_TOKEN }} # zizmor: ignore[secrets-outside-env] caller-provided secret
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: image
image-ref: ${{ matrix.image-ref }}
scanners: ${{ inputs.trivy-scanners }}
severity: ${{ inputs.trivy-severity }}
ignore-unfixed: ${{ inputs.trivy-ignore-unfixed }}
exit-code: 0
trivy-config: ${{ inputs.trivy-config }}
timeout: ${{ inputs.trivy-timeout }}
format: github
output: dependency-results.${{ strategy.job-index }}.sbom.json
github-pat: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} # zizmor: ignore[secrets-outside-env] caller-provided secret
env:
TRIVY_CHECKS_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
- name: Run Trivy and generate a readable report
id: trivy-report
continue-on-error: true
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: image
image-ref: ${{ matrix.image-ref }}
scanners: ${{ inputs.trivy-scanners }}
severity: ${{ inputs.trivy-severity }}
ignore-unfixed: ${{ inputs.trivy-ignore-unfixed }}
exit-code: ${{ inputs.trivy-exit-code }}
trivy-config: ${{ inputs.trivy-config }}
timeout: ${{ inputs.trivy-timeout }}
format: table
output: trivy-results.txt
skip-setup-trivy: true
env:
TRIVY_FORMAT: table
TRIVY_CHECKS_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
- name: Upload complete Trivy report
if: always() && inputs.trivy-report-artifact-name != null
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ inputs.trivy-report-artifact-name }}-${{ strategy.job-index }}
path: trivy-results.txt
if-no-files-found: ignore
- name: Add Trivy results to job summary
if: always()
env:
IMAGE_REF: ${{ matrix.image-ref }}
TRIVY_REPORT_ARTIFACT_NAME: ${{ inputs.trivy-report-artifact-name }}
run: |
{
echo "## Trivy image scan"
echo
echo "**Image:** \`${IMAGE_REF}\`"
echo
echo "<details open>"
echo "<summary>Scan results</summary>"
echo
echo '```text'
if [[ -s trivy-results.txt ]]; then
head -c 900000 trivy-results.txt
if [[ $(wc -c < trivy-results.txt) -gt 900000 ]]; then
echo
if [[ -n "${TRIVY_REPORT_ARTIFACT_NAME}" ]]; then
echo "[Report truncated; download the complete report artifact.]"
else
echo "[Report truncated; set trivy-report-artifact-name to upload the complete report.]"
fi
fi
else
echo "Trivy did not generate a report."
fi
echo '```'
echo
echo "</details>"
} >> "${GITHUB_STEP_SUMMARY}"
- name: Enforce Trivy scan result
if: steps.trivy-report.outcome == 'failure'
run: exit 1