Trivy Security Scan #435
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Security Scan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/trivy-scan.yaml | |
| schedule: | |
| # Runs "At 06:00 AM on every day-of-week. Below time is mentioned in UTC time zone" (see https://crontab.guru) | |
| - cron: '30 0 * * *' | |
| workflow_dispatch: | |
| env: | |
| CLUSTER_NAME: bahmni-cluster-nonprod | |
| jobs: | |
| trivy-cluster-summary-scan: | |
| name: Trivy Cluster Summary Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup Trivy | |
| run: | | |
| wget https://github.com/aquasecurity/trivy/releases/download/v0.31.3/trivy_0.31.3_Linux-64bit.deb | |
| sudo dpkg -i trivy_0.31.3_Linux-64bit.deb | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} | |
| aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} | |
| aws-region: ${{ secrets.BAHMNI_AWS_REGION }} | |
| role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} | |
| role-duration-seconds: 900 # 15 mins | |
| role-session-name: BahmniInfraAdminSession | |
| - name: Authorise Kubectl with EKS | |
| run: aws eks update-kubeconfig --name $CLUSTER_NAME | |
| - name: Create reports directory | |
| run: mkdir reports | |
| - name: Run Trivy Summary Scan | |
| run: trivy k8s --no-progress --report=summary --timeout=1h cluster -o reports/cluster-summary.txt | |
| - name: Upload Report Artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: cluster-summary | |
| path: reports/ | |
| get-namespaces: | |
| name: Get Namespaces | |
| runs-on: ubuntu-latest | |
| outputs: | |
| namespaces: ${{ steps.get-namespaces.outputs.namespaces }} | |
| steps: | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} | |
| aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} | |
| aws-region: ${{ secrets.BAHMNI_AWS_REGION }} | |
| role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} | |
| role-duration-seconds: 900 # 15 mins | |
| role-session-name: BahmniInfraAdminSession | |
| - name: Authorise Kubectl with EKS | |
| run: aws eks update-kubeconfig --name $CLUSTER_NAME | |
| - name: Get namespaces list | |
| id: get-namespaces | |
| run: | | |
| NAMESPACES=$(kubectl get ns -o json | jq -c ".items[] | .metadata.name" | jq -s .) | |
| echo $NAMESPACES | |
| echo ::set-output name=namespaces::${NAMESPACES} | |
| trivy-namespace-scan: | |
| name: Trivy Namespace Scan | |
| runs-on: ubuntu-latest | |
| needs: [ get-namespaces ] | |
| strategy: | |
| matrix: | |
| namespaces: ${{ fromJson(needs.get-namespaces.outputs.namespaces) }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| - name: Setup Trivy | |
| run: | | |
| wget https://github.com/aquasecurity/trivy/releases/download/v0.31.3/trivy_0.31.3_Linux-64bit.deb | |
| sudo dpkg -i trivy_0.31.3_Linux-64bit.deb | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} | |
| aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} | |
| aws-region: ${{ secrets.BAHMNI_AWS_REGION }} | |
| role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} | |
| role-duration-seconds: 900 # 15 mins | |
| role-session-name: BahmniInfraAdminSession | |
| - name: Authorise Kubectl with EKS | |
| run: aws eks update-kubeconfig --name $CLUSTER_NAME | |
| - name: Create reports directory | |
| run: mkdir reports | |
| - name: Run Trivy Detailed Scan for Critical Vulnerabilities | |
| run: trivy k8s --no-progress --severity CRITICAL --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/critical-vulnerabilities.txt | |
| - name: Run Trivy Detailed Scan for High Vulnerabilities | |
| run: trivy k8s --no-progress --severity HIGH --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/high-vulnerabilities.txt | |
| - name: Run Trivy Detailed Scan for Medium Vulnerabilities | |
| run: trivy k8s --no-progress --severity MEDIUM --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/medium-vulnerabilities.txt | |
| - name: Run Trivy Detailed Scan for Low Vulnerabilities | |
| run: trivy k8s --no-progress --severity LOW --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/low-vulnerabilities.txt | |
| - name: Run Trivy Detailed Scan for Unknown Vulnerabilities | |
| run: trivy k8s --no-progress --severity UNKNOWN --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/unknown-vulnerabilities.txt | |
| - name: Checking for Empty Vulnerability Reports | |
| shell: bash | |
| run: bash .github/check_empty_reports.sh | |
| - name: Run Trivy Summary Scan | |
| run: trivy k8s --no-progress --report=summary --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/trivy-summary.txt | |
| - name: Upload Report Artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ matrix.namespaces }} | |
| path: reports/ | |
| upload-report: | |
| runs-on: ubuntu-latest | |
| name: Upload Report | |
| needs: [ trivy-namespace-scan, trivy-cluster-summary-scan ] | |
| steps: | |
| - name: Checkout security-private repo | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: BahmniIndiaDistro/security-private | |
| token: ${{ secrets.BAHMNI_PAT }} | |
| - name: Download Reports | |
| uses: actions/download-artifact@v3 | |
| with: | |
| path: trivy-reports/ | |
| - name: Update report timestamp | |
| run: | | |
| sed -i.bak "s|Report Generated at:.*</p>|Report Generated at: $(TZ=Asia/Kolkata date) </p>|" trivy-reports/index.html && rm trivy-reports/index.html.bak | |
| - name: Publish Report | |
| run: | | |
| git config user.name 'github-actions[bot]' | |
| git config user.email 'github-actions[bot]@users.noreply.github.com' | |
| git add . | |
| git commit -m "Updating trivy-report" | |
| git push | |
| save-scan-summary: | |
| name: Save Scan Summary | |
| needs: upload-report | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout security-private repo | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: BahmniIndiaDistro/security-private | |
| token: ${{ secrets.BAHMNI_PAT }} | |
| - name: Download Cluster Summary | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cluster-summary | |
| - name: Rename Scan Summary with current date | |
| run: mv cluster-summary.txt scan-summary-history/cluster-summary-"$(date +"%m-%d-%y")".txt | |
| - name: Publish Report | |
| run: | | |
| git config user.name 'github-actions[bot]' | |
| git config user.email 'github-actions[bot]@users.noreply.github.com' | |
| git add . | |
| git commit -m "Saving Cluster Scan Summary for "$(date +"%m-%d-%y")"" | |
| git push | |
| notification: | |
| name: Slack notification | |
| needs: [upload-report] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Post message | |
| run: | | |
| curl -X POST -H 'Content-type: application/json' --data '{"text":"🔎 Trivy Security Scan completed for ${{ env.CLUSTER_NAME }}. \n> <https://github.com/BahmniIndiaDistro/security-private/|View Report [Private Repository]>"}' ${{ secrets.SLACK_WEBHOOK_URL }} |