From 0c614b0b6cefa7f3db5d649c019a8ffa48e54893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sim=C3=A3o=20Silva?= Date: Tue, 7 Nov 2023 21:02:02 +0000 Subject: [PATCH] Set Trivy container image scan to output to Code Scanning --- .github/workflows/docker-build-alpine.yml | 25 ++++++++++++----- .github/workflows/docker-build-debian.yml | 25 ++++++++++++----- .github/workflows/isort.yml | 4 ++- .github/workflows/pr-alpine.yml | 34 +++++++++++++++-------- .github/workflows/pr-debian.yml | 34 +++++++++++++++-------- 5 files changed, 85 insertions(+), 37 deletions(-) diff --git a/.github/workflows/docker-build-alpine.yml b/.github/workflows/docker-build-alpine.yml index a5b60997..8b72966b 100644 --- a/.github/workflows/docker-build-alpine.yml +++ b/.github/workflows/docker-build-alpine.yml @@ -18,12 +18,6 @@ jobs: build_alpine: runs-on: ubuntu-latest steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.0.0 - - name: Checkout uses: actions/checkout@v4.1.1 @@ -46,13 +40,30 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.IMAGE_NAME }}:test-alpine - format: "table" + format: "sarif" + output: "trivy-alpine-image-scan.sarif" exit-code: "1" ignore-unfixed: true vuln-type: "os,library" severity: "MEDIUM,HIGH,CRITICAL" skip-files: "/usr/bin/geckodriver,/usr/local/bin/geckodriver" + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + # Path to SARIF file relative to the root of the repository + sarif_file: trivy-alpine-image-scan.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: alpine-image-scan + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - name: Login to DockerHub uses: docker/login-action@v3.0.0 with: diff --git a/.github/workflows/docker-build-debian.yml b/.github/workflows/docker-build-debian.yml index 4ba40e95..1c70eae0 100644 --- a/.github/workflows/docker-build-debian.yml +++ b/.github/workflows/docker-build-debian.yml @@ -19,12 +19,6 @@ jobs: build_debian: runs-on: ubuntu-latest steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.0.0 - - name: Checkout uses: actions/checkout@v4.1.1 @@ -48,12 +42,29 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.IMAGE_NAME }}:test-debian - format: "table" + format: "sarif" + output: "trivy-debian-image-scan.sarif" exit-code: "1" ignore-unfixed: true vuln-type: "os,library" severity: "MEDIUM,CRITICAL,HIGH" + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + # Path to SARIF file relative to the root of the repository + sarif_file: trivy-debian-image-scan.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: debian-image-scan + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - name: Login to DockerHub uses: docker/login-action@v3.0.0 with: diff --git a/.github/workflows/isort.yml b/.github/workflows/isort.yml index 45cb9d31..f9327c41 100644 --- a/.github/workflows/isort.yml +++ b/.github/workflows/isort.yml @@ -1,7 +1,9 @@ name: Isort on: - - push + push: + paths: + - renew.py jobs: isort: diff --git a/.github/workflows/pr-alpine.yml b/.github/workflows/pr-alpine.yml index a946cee1..c6a79f67 100644 --- a/.github/workflows/pr-alpine.yml +++ b/.github/workflows/pr-alpine.yml @@ -4,13 +4,25 @@ on: push: branches-ignore: - "master" + paths: + - Dockerfile + - renew*.py + - requirements.txt + - .github/workflows/pr-alpine.yml env: IMAGE_NAME: "simaofsilva/noip-renewer" PIP_VERSION: "23.3.1" # renovate: datasource=pypi depName=pip versioning=pep440 +permissions: + contents: read + jobs: build_alpine: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Set up QEMU @@ -37,20 +49,20 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.IMAGE_NAME }}:test-alpine - format: "table" + format: "sarif" + output: "trivy-alpine-image-scan.sarif" exit-code: "1" ignore-unfixed: true vuln-type: "os,library" severity: "MEDIUM,HIGH,CRITICAL" skip-files: "/usr/bin/geckodriver,/usr/local/bin/geckodriver" - # On hold until https://github.com/aquasecurity/trivy-action/issues/228 is fixed - # - name: Upload Trivy scan results to GitHub Security - # uses: github/codeql-action/upload-sarif@v2 - # if: always() - # with: - # # Path to SARIF file relative to the root of the repository - # sarif_file: trivy-alpine-image-scan.sarif - # # Optional category for the results - # # Used to differentiate multiple results for one commit - # category: alpine-image-scan + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + # Path to SARIF file relative to the root of the repository + sarif_file: trivy-alpine-image-scan.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: alpine-image-scan diff --git a/.github/workflows/pr-debian.yml b/.github/workflows/pr-debian.yml index 31abb953..de8c32a5 100644 --- a/.github/workflows/pr-debian.yml +++ b/.github/workflows/pr-debian.yml @@ -4,14 +4,26 @@ on: push: branches-ignore: - "master" + paths: + - Dockerfile.debian + - renew*.py + - requirements.txt + - .github/workflows/pr-debian.yml env: IMAGE_NAME: "simaofsilva/noip-renewer" PIP_VERSION: "23.3.1" # renovate: datasource=pypi depName=pip versioning=pep440 GECKODRIVER_VERSION: "0.33.0" # renovate: datasource=github-tags depName=mozilla/geckodriver +permissions: + contents: read + jobs: build_debian: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Set up QEMU @@ -39,19 +51,19 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.IMAGE_NAME }}:test-debian - format: "table" + format: "sarif" + output: "trivy-debian-image-scan.sarif" exit-code: "1" ignore-unfixed: true vuln-type: "os,library" severity: "MEDIUM,CRITICAL,HIGH" - # On hold until https://github.com/aquasecurity/trivy-action/issues/228 is fixed - # - name: Upload Trivy scan results to GitHub Security - # uses: github/codeql-action/upload-sarif@v2 - # if: always() - # with: - # # Path to SARIF file relative to the root of the repository - # sarif_file: trivy-debian-image-scan.sarif - # # Optional category for the results - # # Used to differentiate multiple results for one commit - # category: debian-image-scan + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + # Path to SARIF file relative to the root of the repository + sarif_file: trivy-debian-image-scan.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: debian-image-scan