Add Docker Scout

wallarm · Feb 20, 2024 · 63248a7 · 63248a7
1 parent 4091a6f
commit 63248a7
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 19 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -186,21 +186,37 @@ jobs:
 
   scan:
     name: Vulnerability scanner
-    if: needs.build.outputs.release_type == 'production'
     runs-on: self-hosted-amd64-1cpu
     needs: build
     steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+      - name: Import secrets
+        uses: hashicorp/vault-action@9f522b85981b491eab9a52c144d15aedbd0bf371 # v2.8.0
+        id: secrets
         with:
-          image-ref: docker.io/wallarm/node:${{ github.ref_name }}
-          severity: 'CRITICAL,HIGH'
-          scanners: vuln
-          format: sarif
-          output: trivy-results.sarif
+          exportEnv: false
+          url: ${{ secrets.VAULT_URL }}
+          role: ${{ secrets.VAULT_ROLE }}
+          method: kubernetes
+          path: kubernetes-ci
+          secrets: |
+            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
+
+      - name: Docker Scout
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: docker.io/wallarm/node:${{ github.ref_name }}
+          to: docker.io/wallarm/node:latest
+          only-severities: critical,high
+          sarif-file: sarif.output.json
+          dockerhub-user: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
+          dockerhub-password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
+
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
+        if: needs.build.outputs.release_type == 'production'
         with:
-          sarif_file: trivy-results.sarif
+          sarif_file: sarif.output.json
           token: ${{ github.token }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -115,6 +115,8 @@ jobs:
   scan:
     name: Vulnerability scanner
     runs-on: self-hosted-amd64-1cpu
+    permissions:
+      pull-requests: write
     needs:
       - build
     env:
@@ -125,13 +127,28 @@ jobs:
         with:
           name: node-${{ env.ARCH }}.tar
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+      - name: Import secrets
+        uses: hashicorp/vault-action@9f522b85981b491eab9a52c144d15aedbd0bf371 # v2.8.0
+        id: secrets
+        with:
+          exportEnv: false
+          url: ${{ secrets.VAULT_URL }}
+          role: ${{ secrets.VAULT_ROLE }}
+          method: kubernetes
+          path: kubernetes-ci
+          secrets: |
+            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
+
+      - name: Docker Scout
+        uses: docker/scout-action@v1
         with:
-          input: /github/workspace/node-${{ env.ARCH }}.tar
-          severity: 'CRITICAL,HIGH'
-          format: table
-          scanners: vuln
-          hide-progress: true
-          exit-code: 1
-        continue-on-error: true
+          command: compare,cves
+          image: archive://node-${{ env.ARCH }}.tar
+          to: docker.io/wallarm/node:latest
+          ignore-unchanged: false
+          only-severities: critical,high
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          dockerhub-user: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
+          dockerhub-password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}