Skip to content
Check CVEs

Check CVEs #30

Sign in to view logs

Check CVEs

Check CVEs #30

Workflow file for this run

.github/workflows/check-cves.yaml at 3449d03
---
name: Check CVEs
on:
schedule:
# At 00:00
- cron: '0 0 * * *'
env:
GH_TOKEN: ${{ github.token }}
jobs:
check-images:
name: Check & Upload CVEs
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v4
- name: Setup jq
uses: dcarbone/install-jq-action@v2.1.0
with:
version: '1.7'
force: true
- name: Check CVEs
run: |
# login
docker login -u ${{ secrets.DOCKER_LOGIN }} -p ${{ secrets.DOCKER_PASSWORD }}
# install docker scout
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
# collect CVEs from all images in apps folder
mkdir cves
grep -roh 'apps' -e "ghcr\.io\/networkservicemesh\/ci\/.*:.*" | while read -r image ; do
filename=$(echo $image | awk -F/ '{print $NF}' | awk -F: '{print $1F}')
docker scout cves $image --format sarif --output cves/$filename.json
# set the location of the CVE
echo $(jq --arg img "$image" '.runs.[].results.[].locations.[].physicalLocation.artifactLocation.uri = $img' \
cves/$filename.json) > cves/$filename.json
# clear all other locations (they are useless anyway)
echo $(jq '.runs[0].results.[].locations |= [.[0]]' cves/$filename.json) > cves/$filename.json
done
# merge all files with CVEs
files=""
for file in cves/*; do
files="${files} $file"
done
jq '.runs.[].results += [inputs.runs.[].results.[]]' $files > temp.json
jq '.runs.[].tool.driver.rules += [inputs.runs.[].tool.driver.rules.[]] | .runs.[].tool.driver.rules |= unique_by(.id)' temp.json $files > results.json
- name: Upload CVEs
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.json