Security Scan #866
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| schedule: | |
| - cron: '15 10 * * *' # each day at 10:15 UTC | |
| jobs: | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| continue-on-error: false | |
| strategy: | |
| matrix: | |
| branch-name: | |
| - 'release/8.0' | |
| - 'release/8.1' | |
| - 'release/8.1-ubuntu' | |
| - 'release/8.2' | |
| - 'release/8.2-zts' | |
| - 'release/8.2-ubuntu' | |
| - 'release/8.3' | |
| - 'release/8.3-zts' | |
| - 'release/8.3-ubuntu' | |
| - 'release/8.4' | |
| steps: | |
| - name: "Checkout code" | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ matrix.branch-name }} | |
| - name: "ZTS_SUFFIX Env" | |
| run: echo "ZTS_SUFFIX=`echo '${{ matrix.branch-name }}' | grep zts > /dev/null && echo '-zts' || echo ''`" > $GITHUB_ENV | |
| - name: "UBUNTU_SUFFIX Env" | |
| run: echo "UBUNTU_SUFFIX=`echo '${{ matrix.branch-name }}' | grep ubuntu > /dev/null && echo '-ubuntu' || echo ''`" > $GITHUB_ENV | |
| - name: "PHP_VERSION Env" | |
| run: echo "PHP_VERSION=`grep "ARG PHP_VERSION" Dockerfile | cut -f 2 -d '"' | tr -d '_'`${{ env.ZTS_SUFFIX }}${{ env.UBUNTU_SUFFIX }}" > $GITHUB_ENV | |
| - name: "BRANCH_SHA Env" | |
| run: echo "BRANCH_SHA=`git rev-parse HEAD`" >> $GITHUB_ENV | |
| - name: Pull the image | |
| run: docker pull ghcr.io/endava/docker-php:${{ env.PHP_VERSION }} | |
| - name: Tag also with php:${{ env.PHP_VERSION }} | |
| run: docker tag ghcr.io/endava/docker-php:${{ env.PHP_VERSION }} php-${{ env.PHP_VERSION }} | |
| - name: "IMAGE_SIZE Env" | |
| run: echo "IMAGE_SIZE=`docker image save php-${{ env.PHP_VERSION }} | gzip | wc -c | numfmt --to=si`" > $GITHUB_ENV | |
| - run: wget "https://img.shields.io/static/v1.png?label=${{ env.PHP_VERSION }}&message=${{ env.IMAGE_SIZE }}&color=blue" -O size-status.png | |
| - name: Run Alpine Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
| with: | |
| image-ref: php-${{ env.PHP_VERSION }} | |
| format: 'table' | |
| exit-code: '0' # we don't break the build if vulnerabilities are included! | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Run Alpine Trivy vulnerability scanner and create html file | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
| with: | |
| image-ref: php-${{ env.PHP_VERSION }} | |
| format: 'template' | |
| template: '@/contrib/html.tpl' | |
| output: 'vulnerability-report.html' | |
| - name: Run Alpine Trivy vulnerability scanner and create html file | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
| with: | |
| image-ref: php-${{ env.PHP_VERSION }} | |
| format: 'json' | |
| ignore-unfixed: true | |
| output: 'vulnerability-report.json' | |
| - name: "FIXED_VULNERABILITIES Env" | |
| run: echo "FIXED_VULNERABILITIES=`cat vulnerability-report.json | jq '.Results[0].Vulnerabilities | length'`" > $GITHUB_ENV | |
| - if: ${{ env.FIXED_VULNERABILITIES == '0' }} | |
| run: wget "https://img.shields.io/static/v1.png?label=vulnerabilites&message=0&color=green" -O vulnerability-status.png | |
| - if: ${{ env.FIXED_VULNERABILITIES != '0' }} | |
| run: wget "https://img.shields.io/static/v1.png?label=vulnerabilites&message=${{ env.FIXED_VULNERABILITIES }}&color=red" -O vulnerability-status.png | |
| - name: Run Alpine Trivy vulnerability scanner and upload to github security tab | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
| with: | |
| image-ref: php-${{ env.PHP_VERSION }} | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - if: contains(github.ref, 'refs/heads/main') | |
| name: Upload Alpine Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| ref: refs/heads/${{ matrix.branch-name }} | |
| sha: ${{ env.BRANCH_SHA }} | |
| sarif_file: 'trivy-results.sarif' | |
| - if: contains(github.ref, 'refs/heads/main') | |
| name: Run Snyk to check Docker images for vulnerabilities | |
| uses: snyk/actions/docker@master | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| image: ghcr.io/endava/docker-php:${{ env.PHP_VERSION }} | |
| args: "--org=${{ secrets.SNYK_ORG }} --fail-on=upgradable --project-name=docker-php:${{ env.PHP_VERSION }} --target-reference=${{ env.PHP_VERSION }}" | |
| command: monitor | |
| - if: contains(github.ref, 'refs/heads/main') | |
| name: Upload vulnerability Report to Github Release Artifacts | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| tag_name: ${{ env.PHP_VERSION }} | |
| append_body: true | |
| body: "" | |
| files: | | |
| vulnerability-report.html | |
| vulnerability-status.png | |
| size-status.png |