Skip to content

feat: Add Trivy scanner to the pipeline #456

feat: Add Trivy scanner to the pipeline

feat: Add Trivy scanner to the pipeline #456

Workflow file for this run

---
name: Verify Images
on:
pull_request:
branches:
- main
env:
REPO: "owasp/modsecurity-crs"
# sha256sum format: <hash><space><format (space for text)><file name>
MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f modsecurity.conf-recommended"
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
targets: ${{ steps.generate.outputs.targets }}
repo: ${{ steps.metadata.outputs.repo }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: List targets
id: generate
uses: docker/bake-action/subaction/list-targets@v4
- name: Check modsecurity recommended
run: |
curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended
echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt
sha256sum -c sha256sum.txt
# The environment variable is not accessible in the context of "with" section
- name: Set a repo output
id: metadata
run: echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
build:
runs-on: ubuntu-latest
needs:
- prepare
strategy:
matrix:
target: ${{ fromJson(needs.prepare.outputs.targets) }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
# https://github.com/docker/setup-qemu-action
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:master
- name: Build images
uses: docker/[email protected]
with:
files: |
./docker-bake.hcl
targets: ${{ matrix.target }}
set: |
*.platform=linux/amd64
load: true
push: false
- name: Scan ${{ matrix.target }}
uses: aquasecurity/[email protected]
with:
image-ref: ${{ needs.prepare.outputs.repo }}:${{ matrix.target }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
scanners: 'vuln,secret'
- name: Run ${{ matrix.target }}
run: |
echo "Starting container ${{ matrix.target }}"
docker run --pull "never" -d --name ${{ matrix.target }}-test "${REPO}:${{ matrix.target }}"
docker logs ${{ matrix.target }}-test
- name: Verify ${{ matrix.target }}
run: |
[ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ]