From 37caec9369105c06392be1219a1bb6217eab3bb1 Mon Sep 17 00:00:00 2001 From: "Roman v. Gemmeren" Date: Fri, 3 Mar 2023 17:06:23 +0100 Subject: [PATCH 1/9] Create .github/workflows/trivy.yml --- .github/workflows/trivy.yml | 44 +++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..1cbf92e --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: build + +on: + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | + docker build -t test:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'testp:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From 985983373bffee2b981b25d71f3090f5f29f7f1f Mon Sep 17 00:00:00 2001 From: "Roman v. Gemmeren" Date: Fri, 3 Mar 2023 17:14:30 +0100 Subject: [PATCH 2/9] Update trivy.yml --- .github/workflows/trivy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 1cbf92e..f4756a7 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -6,7 +6,7 @@ name: build on: - pull_request: + push: # The branches below must be a subset of the branches above branches: [ "master" ] @@ -27,12 +27,12 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t test:${{ github.sha }} . + docker build -t ${{ GITHUB_REPOSITORY }}:${{ GITHUB_REF_NAME }}-${{ github.sha }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: 'testp:${{ github.sha }}' + image-ref: '${{ GITHUB_REPOSITORY }}:${{ GITHUB_REF_NAME }}-${{ github.sha }}' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' From 066976b069e1542fb8cd8892594501d3ac3cbf1f Mon Sep 17 00:00:00 2001 From: "Roman v. Gemmeren" Date: Fri, 3 Mar 2023 17:15:50 +0100 Subject: [PATCH 3/9] Update trivy.yml --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f4756a7..82f7fe7 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -8,7 +8,7 @@ name: build on: push: # The branches below must be a subset of the branches above - branches: [ "master" ] + branches: [ "*" ] permissions: contents: read From d49e9a422ba71b7d7f82abdbd3d5fb4b4f94bc8f Mon Sep 17 00:00:00 2001 From: "Roman v. Gemmeren" Date: Fri, 3 Mar 2023 17:16:46 +0100 Subject: [PATCH 4/9] Update trivy.yml --- .github/workflows/trivy.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 82f7fe7..40c151d 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -5,10 +5,7 @@ name: build -on: - push: - # The branches below must be a subset of the branches above - branches: [ "*" ] +on: push permissions: contents: read From 8496a85349692e0aee4b3f02c97548b0fd7a1429 Mon Sep 17 00:00:00 2001 From: "Roman v. Gemmeren" Date: Fri, 3 Mar 2023 17:18:41 +0100 Subject: [PATCH 5/9] Update trivy.yml --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 40c151d..71d66b1 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -24,12 +24,12 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t ${{ GITHUB_REPOSITORY }}:${{ GITHUB_REF_NAME }}-${{ github.sha }} . + docker build -t ${{ vars.GITHUB_REPOSITORY }}:${{ vars.GITHUB_REF_NAME }}-${{ github.sha }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: '${{ GITHUB_REPOSITORY }}:${{ GITHUB_REF_NAME }}-${{ github.sha }}' + image-ref: '${{ vars.GITHUB_REPOSITORY }}:${{ vars.GITHUB_REF_NAME }}-${{ github.sha }}' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' From 332c451209c7dfa3614a2dc0301e81cd5d5f0a8b Mon Sep 17 00:00:00 2001 From: "Roman v. Gemmeren" Date: Fri, 3 Mar 2023 17:22:04 +0100 Subject: [PATCH 6/9] Update trivy.yml --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 71d66b1..06d6a29 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -24,12 +24,12 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t ${{ vars.GITHUB_REPOSITORY }}:${{ vars.GITHUB_REF_NAME }}-${{ github.sha }} . + docker build -t "$GITHUB_REPOSITORY:$GITHUB_REF_NAME-${{ github.sha }}" . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: '${{ vars.GITHUB_REPOSITORY }}:${{ vars.GITHUB_REF_NAME }}-${{ github.sha }}' + image-ref: "$GITHUB_REPOSITORY:$GITHUB_REF_NAME-${{ github.sha }}" format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' From 727f91c7d57582ddca31b170a118e7aeeafe472d Mon Sep 17 00:00:00 2001 From: "Roman v. Gemmeren" Date: Fri, 3 Mar 2023 17:23:47 +0100 Subject: [PATCH 7/9] Update trivy.yml --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 06d6a29..6a9d645 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -24,12 +24,12 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t "$GITHUB_REPOSITORY:$GITHUB_REF_NAME-${{ github.sha }}" . + docker build -t "${GITHUB_REPOSITORY}:${GITHUB_REF_NAME}-${{ github.sha }}" . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: "$GITHUB_REPOSITORY:$GITHUB_REF_NAME-${{ github.sha }}" + image-ref: "${GITHUB_REPOSITORY}:${GITHUB_REF_NAME}-${{ github.sha }}" format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' From 24d3291dd53fbd08692bca42b2defb71dd28cb1e Mon Sep 17 00:00:00 2001 From: "Roman v. Gemmeren" Date: Fri, 3 Mar 2023 17:28:54 +0100 Subject: [PATCH 8/9] Update trivy.yml --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6a9d645..e5e25a6 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -29,7 +29,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: "${GITHUB_REPOSITORY}:${GITHUB_REF_NAME}-${{ github.sha }}" + image-ref: ${GITHUB_REPOSITORY}:${GITHUB_REF_NAME}-${{ github.sha }} format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' From 19d8ec89bc55323f22cdf9475b371ce468875762 Mon Sep 17 00:00:00 2001 From: strowi Date: Sun, 5 Mar 2023 08:48:34 +0100 Subject: [PATCH 9/9] test --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index e5e25a6..51abe45 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -24,12 +24,12 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t "${GITHUB_REPOSITORY}:${GITHUB_REF_NAME}-${{ github.sha }}" . + docker build -t "${{ github.repository }}:${{ github.ref_name}}-${{ github.sha }}" . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: ${GITHUB_REPOSITORY}:${GITHUB_REF_NAME}-${{ github.sha }} + image-ref: ${{ github.repository }}:${{ github.ref_name}}-${{ github.sha }} format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif'