@@ -2,128 +2,21 @@ name: Docker Publish (Security Updates)
22
33on :
44 workflow_dispatch :
5- inputs :
6- force_build :
7- description : ' Force build even if no vulnerabilities found'
8- type : boolean
9- default : false
10- skip_scan :
11- description : ' Skip vulnerability scanning (for testing)'
12- type : boolean
13- default : false
145 schedule :
156 - cron : ' 0 0 * * *' # Daily at midnight UTC
167
17- permissions :
18- contents : write
19- packages : write
20-
218jobs :
229 scan-vulnerabilities :
2310 runs-on : ubuntu-24.04
2411 outputs :
2512 has_vulnerabilities : ${{ steps.parse.outputs.has_vulnerabilities || inputs.force_build }}
2613 steps :
27- # Single scan for both vulnerabilities and dependencies
28- - id : scan
29- if : inputs.skip_scan != true
30- uses : aquasecurity/trivy-action@0.29.0
14+ - uses : aquasecurity/trivy-action@0.29.0
3115 with :
3216 image-ref : ' ghcr.io/serversideup/docker-ssh'
33- format : ' json'
34- output : ' trivy-results.json'
17+ format : ' table'
3518 github-pat : ${{ secrets.GITHUB_TOKEN }}
3619 ignore-unfixed : true
20+ exit-code : 1
3721 severity : ' CRITICAL,HIGH'
38- hide-progress : true
39-
40- - name : Upload trivy report as a Github artifact
41- uses : actions/upload-artifact@v4
42- with :
43- name : trivy-results-json
44- path : ' ${{ github.workspace }}/trivy-results.json'
45- retention-days : 20
46-
47- # Parse results and create advisory if needed
48- - if : inputs.skip_scan != true
49- id : parse
50- env :
51- GH_TOKEN : ${{ secrets.GHA_SECURITY_ADVISORY_PAT }}
52- shell : bash
53- run : |
54- if [ -f trivy-results.json ]; then
55- # Count both vulnerabilities and secrets
56- VULN_COUNT=$(jq -r '[.Results[] | (.Vulnerabilities, .Secrets) | select(. != null) | length] | add // 0' trivy-results.json)
57-
58- echo "Found ${VULN_COUNT} security findings"
59-
60- if [ "${VULN_COUNT:-0}" -gt 0 ]; then
61- echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
62- CURRENT_DATE=$(date +%Y-%m-%d)
63-
64- # Create step summary and advisory content
65- echo "# Security Findings Found" >> $GITHUB_STEP_SUMMARY
66-
67- SUMMARY="## Security Scan Results ($CURRENT_DATE)\n\n### Summary\n- Total Findings: ${VULN_COUNT}"
68-
69- # Handle OS/Package Vulnerabilities
70- if jq -e '.Results[] | select(.Vulnerabilities != null)' trivy-results.json > /dev/null; then
71- echo "## Package Vulnerabilities" >> $GITHUB_STEP_SUMMARY
72- echo "| Severity | Package | Installed Version | Fixed Version | Vulnerability ID |" >> $GITHUB_STEP_SUMMARY
73- echo "|----------|---------|-------------------|---------------|-----------------|" >> $GITHUB_STEP_SUMMARY
74- jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | "| \(.Severity) | \(.PkgName) | \(.InstalledVersion) | \(.FixedVersion) | \(.VulnerabilityID) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
75-
76- VULNS_SECTION=$(jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | "### Vulnerability: \(.VulnerabilityID)\n- Package: \(.PkgName)\n- Severity: \(.Severity)\n- Current Version: \(.InstalledVersion)\n- Fixed Version: \(.FixedVersion)\n"' trivy-results.json)
77- fi
78-
79- # Handle Secrets
80- if jq -e '.Results[] | select(.Secrets != null)' trivy-results.json > /dev/null; then
81- echo "## Secrets" >> $GITHUB_STEP_SUMMARY
82- echo "| Severity | Category | Title | Target | Rule ID |" >> $GITHUB_STEP_SUMMARY
83- echo "|----------|-----------|--------|---------|----------|" >> $GITHUB_STEP_SUMMARY
84- jq -r '.Results[] | select(.Secrets != null) | .Secrets[] | "| \(.Severity) | \(.Category) | \(.Title) | \(.Target) | \(.RuleID) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
85-
86- SECRETS_SECTION=$(jq -r '.Results[] | select(.Secrets != null) | .Secrets[] | "### Secret Finding: \(.Title)\n- Severity: \(.Severity)\n- Category: \(.Category)\n- Location: \(.Target)\n- Rule ID: \(.RuleID)\n"' trivy-results.json)
87- fi
88-
89- # Create the security advisory
90- FULL_DESCRIPTION="${SUMMARY}\n\n${SECRETS_SECTION}\n${VULNS_SECTION}"
91-
92- gh api \
93- --method POST \
94- /repos/${{ github.repository }}/security-advisories \
95- -f summary="🚨 Security Scan Report ($CURRENT_DATE): Found ${VULN_COUNT} findings" \
96- -f description="${FULL_DESCRIPTION}" \
97- -f severity="critical"
98-
99- echo "::notice::Found ${VULN_COUNT} security findings that need to be addressed."
100- else
101- echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
102- echo "No security findings found." >> $GITHUB_STEP_SUMMARY
103- fi
104- else
105- echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
106- echo "::error::trivy-results.json not found"
107- exit 1
108- fi
109-
110- get-latest-release :
111- runs-on : ubuntu-24.04
112- outputs :
113- release_version : ${{ steps.get-version.outputs.release_version }}
114- steps :
115- - name : Get Latest Release
116- id : get-version
117- run : |
118- LATEST_RELEASE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
119- echo "release_version=${LATEST_RELEASE}" >> "$GITHUB_OUTPUT"
120-
121- build-security-updates :
122- needs : [scan-vulnerabilities, get-latest-release]
123- if : needs.scan-vulnerabilities.outputs.has_vulnerabilities == 'true' || inputs.force_build == true
124- uses : ./.github/workflows/service_docker-build-and-publish.yml
125- secrets : inherit
126- with :
127- release_type : ' security'
128- ref_type : ' tag'
129- version : " ${{ needs.get-latest-release.outputs.release_version }}"
22+ hide-progress : true
0 commit comments