Vulnerability Scanning #527

Workflow file for this run

	# This workflow uses actions that are not certified by GitHub.
	# They are provided by a third-party and are governed by
	# separate terms of service, privacy policy, and support
	# documentation.

	name: Vulnerability Scanning

	on:
	workflow_dispatch:
	push:
	branches: [ "main" ]
	pull_request:
	# The branches below must be a subset of the branches above
	branches: [ "main" ]
	schedule:
	- cron: '0 7 * * 1-5' # Run every weekday at 7am UTC

	permissions:
	contents: read

	jobs:
	trivy:
	strategy:
	fail-fast: false
	matrix:
	image: [
	{dockerfile: Dockerfile, name: liquibase/liquibase, suffix: ""},
	{dockerfile: Dockerfile.alpine, name: liquibase/liquibase, suffix: "-alpine"},
	]
	permissions:
	contents: read # for actions/checkout to fetch code
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	name: Trivy
	runs-on: "ubuntu-22.04"
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Build ${{ matrix.image.name }}${{ matrix.image.suffix }} from Dockerfile
	run: \|
	docker build -f ${{ matrix.image.dockerfile }} -t ${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }} .

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	with:
	image-ref: '${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }}'
	vuln-type: 'os,library'
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'HIGH,CRITICAL'
	exit-code: '1'
	limit-severities-for-sarif: true

	- name: Notify Slack on Build Failure
	if: failure()
	uses: rtCamp/action-slack-notify@v2
	env:
	SLACK_COLOR: 'failure'
	SLACK_MESSAGE: "View details on GitHub Actions: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}. Triggered by repository: ${{ github.repository }} and job: ${{ github.job }}"
	SLACK_TITLE: "❌ ${{ github.repository }} ❌ Trivy failed on branch ${{ github.ref_name }} for commit ${{ github.sha }} in repository ${{ github.repository }}"
	SLACK_USERNAME: liquibot
	SLACK_WEBHOOK: ${{ secrets.DOCKER_SLACK_WEBHOOK_URL }}
	SLACK_ICON_EMOJI: ":whale:"
	SLACK_FOOTER: "${{ github.repository }} - ${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }}"
	SLACK_LINK_NAMES: true

	- name: Upload Trivy scan results to GitHub Security tab
	if: always()
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'
	category: '${{ matrix.image.name }}${{ matrix.image.suffix }}'

	- name: Generate Security Report
	if: always()
	uses: rsdmike/[email protected]
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	outputDir: ./reports/
	sarifReportDir: .

	- name: Upload Security Report
	if: always()
	uses: actions/upload-artifact@v3
	with:
	name: security-report-trivy
	path: ./reports/summary.pdf


	scout:
	strategy:
	fail-fast: false
	matrix:
	image: [
	{dockerfile: Dockerfile, name: liquibase/liquibase, suffix: ""},
	{dockerfile: Dockerfile.alpine, name: liquibase/liquibase, suffix: "-alpine"},
	]
	permissions:
	contents: read # for actions/checkout to fetch code
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	pull-requests: write # for docker/scout-action to write comments on pull requests
	name: Scout
	runs-on: "ubuntu-22.04"
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Build ${{ matrix.image.name }}${{ matrix.image.suffix }} from Dockerfile
	run: \|
	docker build -f ${{ matrix.image.dockerfile }} -t ${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }} .

	- uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Docker Scout
	uses: docker/[email protected]
	with:
	command: cves
	image: '${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }}'
	github-token: ${{ secrets.GITHUB_TOKEN }}
	write-comment: true
	sarif-file: 'scout-results.sarif'
	summary: true
	exit-code: true
	only-severities: "critical,high"

	- name: Notify Slack on Build Failure
	if: failure()
	uses: rtCamp/action-slack-notify@v2
	env:
	SLACK_COLOR: 'failure'
	SLACK_MESSAGE: "View details on GitHub Actions: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}. Triggered by repository: ${{ github.repository }} and job: ${{ github.job }}"
	SLACK_TITLE: "❌ ${{ github.repository }} ❌ Docker Scout failed on branch ${{ github.ref_name }} for commit ${{ github.sha }} in repository ${{ github.repository }}"
	SLACK_USERNAME: liquibot
	SLACK_WEBHOOK: ${{ secrets.DOCKER_SLACK_WEBHOOK_URL }}
	SLACK_ICON_EMOJI: ":whale:"
	SLACK_FOOTER: "${{ github.repository }} - ${{ matrix.image.name }}${{ matrix.image.suffix }}:${{ github.sha }}"
	SLACK_LINK_NAMES: true

	- name: Upload Scout scan results to GitHub Security tab
	if: always()
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'scout-results.sarif'
	category: '${{ matrix.image.name }}${{ matrix.image.suffix }}'

	- name: Generate Security Report
	if: always()
	uses: rsdmike/[email protected]
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	outputDir: ./reports/
	sarifReportDir: .

	- name: Upload Security Report
	if: always()
	uses: actions/upload-artifact@v3
	with:
	name: security-report-scout
	path: ./reports/summary.pdf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability Scanning #527

Workflow file

Vulnerability Scanning #527

Jobs

Run details

Workflow file for this run