-
Notifications
You must be signed in to change notification settings - Fork 35
59 lines (48 loc) · 1.95 KB
/
check-cves.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
---
name: Check CVEs
on:
schedule:
# At 00:00
- cron: '0 0 * * *'
env:
GH_TOKEN: ${{ github.token }}
jobs:
check-images:
name: Check & Upload CVEs
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v4
- name: Setup jq
uses: dcarbone/install-jq-action@v2.1.0
with:
version: '1.7'
force: true
- name: Check CVEs
run: |
# login
docker login -u ${{ secrets.DOCKER_LOGIN }} -p ${{ secrets.DOCKER_PASSWORD }}
# install docker scout
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
# collect CVEs from all images in apps folder
mkdir cves
grep -roh 'apps' -e "ghcr\.io\/networkservicemesh\/ci\/.*:.*" | while read -r image ; do
filename=$(echo $image | awk -F/ '{print $NF}' | awk -F: '{print $1F}')
docker scout cves $image --format sarif --output cves/$filename.json
# set the location of the CVE
echo $(jq --arg img "$image" '.runs.[].results.[].locations.[].physicalLocation.artifactLocation.uri = $img' \
cves/$filename.json) > cves/$filename.json
# clear all other locations (they are useless anyway)
echo $(jq '.runs[0].results.[].locations |= [.[0]]' cves/$filename.json) > cves/$filename.json
done
# merge all files with CVEs
files=""
for file in cves/*; do
files="${files} $file"
done
jq '.runs.[].results += [inputs.runs.[].results.[]]' $files > temp.json
jq '.runs.[].tool.driver.rules += [inputs.runs.[].tool.driver.rules.[]] | .runs.[].tool.driver.rules |= unique_by(.id)' temp.json $files > results.json
- name: Upload CVEs
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.json