From 2f9b0265342bd6b57c8f38ed05ef1cff2167d2de Mon Sep 17 00:00:00 2001 From: Benjamin Nelson Date: Wed, 22 May 2024 19:42:19 -0500 Subject: [PATCH] Upload trivy results to Github (#755) * Upload trivy results to Github * change format of trivy results * add category to sarif upload * Add scheduled job and revert pr scan changes --- .github/workflows/trivy.yml | 2 +- .github/workflows/trivy_scheduled_master.yml | 166 +++++++++++++++++++ 2 files changed, 167 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/trivy_scheduled_master.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 40c4ba6f..58ff9c58 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -119,4 +119,4 @@ jobs: with: image-ref: 'pulsar-functions-pulsarctl-go-runner:latest' format: 'table' - exit-code: '0' + exit-code: '0' \ No newline at end of file diff --git a/.github/workflows/trivy_scheduled_master.yml b/.github/workflows/trivy_scheduled_master.yml new file mode 100644 index 00000000..284e23a4 --- /dev/null +++ b/.github/workflows/trivy_scheduled_master.yml @@ -0,0 +1,166 @@ +name: Scheduled master branch scan security vulnerabilities +on: + pull_request: + branches: + - 'master' + paths-ignore: + - 'docs/**' + - 'README.md' + - 'CHANGELOG.md' + - 'PROJECT' + - 'LICENSE' + - 'mesh-worker-service/README.md' + - 'tools/README.md' + schedule: + - cron: '0 0 * * *' + +permissions: + pull-requests: write + issues: write + # For Trivy uploads to Github Security tab + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + +jobs: + build: + name: Scan + permissions: + pull-requests: write + issues: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set up GO 1.22.3 + uses: actions/setup-go@v1 + with: + go-version: 1.22.3 + id: go + + - name: InstallKubebuilder + run: | + curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz | tar -xz -C /tmp/ + sudo mv /tmp/kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder + export PATH=$PATH:/usr/local/kubebuilder/bin + + - name: Install operator-sdk + run: | + RELEASE_VERSION=v1.14.0 + curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/${RELEASE_VERSION}/operator-sdk_linux_amd64" + chmod +x operator-sdk_linux_amd64 && sudo mkdir -p /usr/local/bin/ && sudo mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk + + - name: Set up yq + run: | + sudo wget https://github.com/mikefarah/yq/releases/download/v4.30.4/yq_linux_amd64 -O /usr/bin/yq + sudo chmod +x /usr/bin/yq + yq --help + + - name: Build operator image + run: | + make generate + make helm-crds + image="function-mesh-operator:latest" + IMG=${image} make docker-build-skip-test + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'function-mesh-operator:latest' + format: 'table' + exit-code: '1' + + - name: Build runner images + run: | + PULSAR_IMAGE_TAG=3.2.2.6 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh + + - name: Run Trivy vulnerability scanner for java + id: scan-java-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-java-runner:latest' + format: 'table' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for python + id: scan-python-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-python-runner:latest' + format: 'table' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for go + id: scan-go-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-go-runner:latest' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-go.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for java with pulsarctl + id: scan-java-pulsarctl-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-pulsarctl-java-runner:latest' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for python with pulsarctl + id: scan-python-pulsarctl-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-pulsarctl-python-runner:latest' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-python.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for go with pulsarctl + id: scan-go-pulsarctl-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-pulsarctl-go-runner:latest' + format: 'template' + exit-code: '0' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-pulsarctl.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + category: 'Default' + + - name: Upload Trivy go scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-go.sarif' + category: 'Golang' + + - name: Upload Trivy pulsarctl scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-pulsarctl.sarif' + category: 'Pulsarctl' + + - name: Upload Trivy python scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-python.sarif' + category: 'Python' \ No newline at end of file