Set Trivy container image scan to output to Code Scanning

simao-silva · Nov 7, 2023 · 0c614b0 · 0c614b0
1 parent 339fe4f
commit 0c614b0
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 37 deletions.
diff --git a/.github/workflows/docker-build-alpine.yml b/.github/workflows/docker-build-alpine.yml
@@ -18,12 +18,6 @@ jobs:
   build_alpine:
     runs-on: ubuntu-latest
     steps:
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.0.0
-
       - name: Checkout
         uses: actions/checkout@v4.1.1
 
@@ -46,13 +40,30 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.IMAGE_NAME }}:test-alpine
-          format: "table"
+          format: "sarif"
+          output: "trivy-alpine-image-scan.sarif"
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "MEDIUM,HIGH,CRITICAL"
           skip-files: "/usr/bin/geckodriver,/usr/local/bin/geckodriver"
 
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: trivy-alpine-image-scan.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: alpine-image-scan
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.0.0
+
       - name: Login to DockerHub
         uses: docker/login-action@v3.0.0
         with:

diff --git a/.github/workflows/docker-build-debian.yml b/.github/workflows/docker-build-debian.yml
@@ -19,12 +19,6 @@ jobs:
   build_debian:
     runs-on: ubuntu-latest
     steps:
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.0.0
-
       - name: Checkout
         uses: actions/checkout@v4.1.1
 
@@ -48,12 +42,29 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.IMAGE_NAME }}:test-debian
-          format: "table"
+          format: "sarif"
+          output: "trivy-debian-image-scan.sarif"
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "MEDIUM,CRITICAL,HIGH"
 
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: trivy-debian-image-scan.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: debian-image-scan
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.0.0
+
       - name: Login to DockerHub
         uses: docker/login-action@v3.0.0
         with:

diff --git a/.github/workflows/isort.yml b/.github/workflows/isort.yml
@@ -1,7 +1,9 @@
 name: Isort
 
 on:
-  - push
+  push:
+    paths:
+      - renew.py
 
 jobs:
   isort:

diff --git a/.github/workflows/pr-alpine.yml b/.github/workflows/pr-alpine.yml
@@ -4,13 +4,25 @@ on:
   push:
     branches-ignore:
       - "master"
+    paths:
+      - Dockerfile
+      - renew*.py
+      - requirements.txt
+      - .github/workflows/pr-alpine.yml
 
 env:
   IMAGE_NAME: "simaofsilva/noip-renewer"
   PIP_VERSION: "23.3.1" # renovate: datasource=pypi depName=pip versioning=pep440
 
+permissions:
+  contents: read
+
 jobs:
   build_alpine:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
     steps:
       - name: Set up QEMU
@@ -37,20 +49,20 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.IMAGE_NAME }}:test-alpine
-          format: "table"
+          format: "sarif"
+          output: "trivy-alpine-image-scan.sarif"
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "MEDIUM,HIGH,CRITICAL"
           skip-files: "/usr/bin/geckodriver,/usr/local/bin/geckodriver"
 
-      # On hold until https://github.com/aquasecurity/trivy-action/issues/228 is fixed
-      # - name: Upload Trivy scan results to GitHub Security
-      #   uses: github/codeql-action/upload-sarif@v2
-      #   if: always()
-      #   with:
-      #     # Path to SARIF file relative to the root of the repository
-      #     sarif_file: trivy-alpine-image-scan.sarif
-      #     # Optional category for the results
-      #     # Used to differentiate multiple results for one commit
-      #     category: alpine-image-scan
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: trivy-alpine-image-scan.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: alpine-image-scan
diff --git a/.github/workflows/pr-debian.yml b/.github/workflows/pr-debian.yml
@@ -4,14 +4,26 @@ on:
   push:
     branches-ignore:
       - "master"
+    paths:
+      - Dockerfile.debian
+      - renew*.py
+      - requirements.txt
+      - .github/workflows/pr-debian.yml
 
 env:
   IMAGE_NAME: "simaofsilva/noip-renewer"
   PIP_VERSION: "23.3.1" # renovate: datasource=pypi depName=pip versioning=pep440
   GECKODRIVER_VERSION: "0.33.0" # renovate: datasource=github-tags depName=mozilla/geckodriver
 
+permissions:
+  contents: read
+
 jobs:
   build_debian:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
     steps:
       - name: Set up QEMU
@@ -39,19 +51,19 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.IMAGE_NAME }}:test-debian
-          format: "table"
+          format: "sarif"
+          output: "trivy-debian-image-scan.sarif"
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "MEDIUM,CRITICAL,HIGH"
 
-      # On hold until https://github.com/aquasecurity/trivy-action/issues/228 is fixed
-      # - name: Upload Trivy scan results to GitHub Security
-      #   uses: github/codeql-action/upload-sarif@v2
-      #   if: always()
-      #   with:
-      #     # Path to SARIF file relative to the root of the repository
-      #     sarif_file: trivy-debian-image-scan.sarif
-      #     # Optional category for the results
-      #     # Used to differentiate multiple results for one commit
-      #     category: debian-image-scan
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: trivy-debian-image-scan.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: debian-image-scan