feat: Add Trivy scanner to the pipeline

hubert.siwik · hubert.siwik · commit 5bdbf7ba53a6 · 2024-10-16T08:10:52.000+02:00
diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml
@@ -0,0 +1,35 @@
+# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true.
+name: Update the trivy cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+          
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz          
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
@@ -14,6 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       targets: ${{ steps.generate.outputs.targets }}
+      repo: ${{ steps.metadata.outputs.repo }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -25,6 +26,10 @@ jobs:
           curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended
           echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt
           sha256sum -c sha256sum.txt
+      # The environment variable is not accessible in the context of "with" section
+      - name: Set a repo output
+        id: metadata
+        run: echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
 
   build:
     runs-on: ubuntu-latest
@@ -60,6 +65,20 @@ jobs:
           load: true
           push: false
 
+      - name: Scan ${{ matrix.target }}
+        uses: aquasecurity/trivy-action@0.27.0
+        with:
+          image-ref: ${{ needs.prepare.outputs.repo }}:${{ matrix.target }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          scanners: 'vuln,secret'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+#          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
       - name: Run ${{ matrix.target }}
         run: |
           echo "Starting container ${{ matrix.target }}"
