feat: add trivy image scanning (#1030)

Enable trivy image scan on PRs For now, do not fail the build if there are any vulnerabilities reported. The vulnerabilities will appear in the code scanning page in the repo security tab, and github will warn when introducing new vulnerabilities. Later, we could choose to fail on any critical vulnerabilities, as in this workflow: https://raw.githubusercontent.com/ministryofjustice/analytical-platform-ingestion-notify/refs/heads/main/.github/workflows/scan-image.yml .trivyignore.yaml can optionally be used if we want to ignore vulnerabilities until a certain date.
ministryofjustice · Nov 13, 2024 · 4bff2de · 4bff2de
1 parent 9d5b111
commit 4bff2de
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 0 deletions.
diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml
@@ -0,0 +1,48 @@
+---
+name: Scan Image
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  scan-image:
+    name: Scan Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build Image
+        id: build_image
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        with:
+          push: false
+          load: true
+          tags: ingestion-notify
+
+      - name: Scan Image (Produce SARIF)
+        id: scan_image
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          image-ref: ingestion-notify
+          format: sarif
+          output: trivy-results.sarif
+          trivyignores: .trivyignore.yaml
+
+      - name: Upload SARIF
+        if: always()
+        id: upload_sarif
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v2.2.7
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -0,0 +1,4 @@
+# vulnerabilities:
+#   - id: CVE-2023-XXXXX
+#     statement: Bla bla bla
+#     expired_at: 2023-09-01