Skip to content

Trivy

Trivy #470

Workflow file for this run

---
#
# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
#
name: "Trivy"
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
workflow_run:
workflows: ["Build"]
branches:
- main
tags:
- 'v*.*.*'
- 'v*.*.*-*'
types:
- completed
jobs:
git-sha7:
name: Determine short git sha
runs-on: ubuntu-latest
outputs:
value: ${{ steps.git-sha7.outputs.SHA7 }}
steps:
- name: Resolve git 7-chars sha
id: git-sha7
run: |
echo "SHA7=sha-${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
trivy-analyze-config:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
scan-type: "config"
# ignore-unfixed: true
exit-code: "0"
hide-progress: false
format: "sarif"
output: "trivy-results-config.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
if: always()
with:
sarif_file: "trivy-results-config.sarif"
trivy:
needs: [git-sha7]
permissions:
actions: read
contents: read
security-events: write
runs-on: ubuntu-latest
strategy:
# continue scanning other images although if the other has been vulnerable
fail-fast: false
matrix:
image:
- provisioning-agent
- remoting-agent
- conforming-agent
- matchmaking-agent
steps:
# Determine the right target docker repo
- name: Check github repository and set docker repo
id: set-docker-repo
run: |
echo "REGISTRY=docker.io" >> $GITHUB_OUTPUT;
echo "REPO=tractusx" >> $GITHUB_OUTPUT;
if [ "${{ github.repository }}" != "eclipse-tractusx/knowledge-agents" ];
then
echo "REGISTRY=ghcr.io" >> $GITHUB_OUTPUT
echo "REPO=ghcr.io/${{ github.repository }}" >> $GITHUB_OUTPUT
fi
exit 0
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# Enable repository access (on main branch and version tags only)
- name: Login to GitHub Container Registry
if: ${{ ( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ steps.set-docker-repo.outputs.REGISTRY }}
# Use existing DockerHub credentials present as secrets
username: ${{ secrets.DOCKER_HUB_USER || github.actor }}
password: ${{ secrets.DOCKER_HUB_TOKEN || secrets.GITHUB_TOKEN }}
# This step will fail if the docker images is not found
- name: "Check if image exists"
id: imageCheck
run: |
docker manifest inspect ${{ steps.set-docker-repo.outputs.REPO }}/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }}
continue-on-error: true
# the next two steps will only execute if the image exists check was successful
- name: Run Trivy vulnerability scanner
if: success() && steps.imageCheck.outcome != 'failure'
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: "${{ steps.set-docker-repo.outputs.REPO }}/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }}"
format: "sarif"
output: "trivy-results-${{ matrix.image }}.sarif"
exit-code: "0"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
- name: Upload Trivy scan results to GitHub Security tab
if: success() && steps.imageCheck.outcome != 'failure'
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: "trivy-results-${{ matrix.image }}.sarif"