Skip to content

DAT-18039 DevOps :: Docker Vulnerability Scanning Enhancements #426

DAT-18039 DevOps :: Docker Vulnerability Scanning Enhancements

DAT-18039 DevOps :: Docker Vulnerability Scanning Enhancements #426

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Vulnerability Scanning
on:
workflow_dispatch:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '0 7 * * 1-5' # Run every weekday at 7am UTC
permissions:
contents: read
jobs:
trivy:
strategy:
fail-fast: false
matrix:
image: [
{dockerfile: Dockerfile, name: liquibase/liquibase},
{dockerfile: Dockerfile.alpine, name: liquibase/liquibase},
]
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Trivy
runs-on: "ubuntu-22.04"
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build ${{ matrix.image.name }} from Dockerfile
run: |
docker build -f ${{ matrix.image.dockerfile }} -t ${{ matrix.image.name }}:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: '${{ matrix.image.name }}:${{ github.sha }}'
vuln-type: 'os,library'
exit-code: '1'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
# - name: Notify Slack on Build Failure
# if: failure()
# uses: rtCamp/action-slack-notify@v2
# env:
# SLACK_COLOR: 'failure'
# SLACK_MESSAGE: "View details on GitHub Actions: ${{ github.event.client_payload.server_url }}/${{ github.event.client_payload.repository }}/actions/runs/${{ github.event.client_payload.run_id }}. Triggered by repository: ${{ github.event.client_payload.repository }} and job: ${{ github.job }}"
# SLACK_TITLE: "❌ ${{ github.event.client_payload.repository }} ❌ Trivy failed on branch ${{ github.event.client_payload.branch }} for commit ${{ github.event.client_payload.sha }} in repository ${{ github.event.client_payload.repository }}"
# SLACK_USERNAME: liquibot
# SLACK_WEBHOOK: ${{ secrets.NIGHTLY_BUILDS_SLACK_WEBHOOK }}
# SLACK_ICON_EMOJI: ":whale:"
# SLACK_FOOTER: "${{ github.event.client_payload.repository }}"
# SLACK_LINK_NAMES: true
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
category: '${{ matrix.image.name }}'
- name: Generate Security Report
if: always()
uses: rsdmike/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
outputDir: ./reports/
sarifReportDir: .
- name: Upload Security Report
if: always()
uses: actions/upload-artifact@v3
with:
name: security-report
path: ./reports/trivy-summary.pdf
scout:
strategy:
fail-fast: false
matrix:
image: [
{dockerfile: Dockerfile, name: liquibase/liquibase},
{dockerfile: Dockerfile.alpine, name: liquibase/liquibase},
]
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Scout
runs-on: "ubuntu-22.04"
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build ${{ matrix.image.name }} from Dockerfile
run: |
docker build -f ${{ matrix.image.dockerfile }} -t ${{ matrix.image.name }}:${{ github.sha }} .
- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker Scout
uses: docker/[email protected]
with:
command: cves
image: '${{ matrix.image.name }}:${{ github.sha }}'
github-token: ${{ secrets.GITHUB_TOKEN }}
write-comment: true
sarif-file: 'scout-results.sarif'
summary: true
# - name: Notify Slack on Build Failure
# if: failure()
# uses: rtCamp/action-slack-notify@v2
# env:
# SLACK_COLOR: 'failure'
# SLACK_MESSAGE: "View details on GitHub Actions: ${{ github.event.client_payload.server_url }}/${{ github.event.client_payload.repository }}/actions/runs/${{ github.event.client_payload.run_id }}. Triggered by repository: ${{ github.event.client_payload.repository }} and job: ${{ github.job }}"
# SLACK_TITLE: "❌ ${{ github.event.client_payload.repository }} ❌ Docker Scout failed on branch ${{ github.event.client_payload.branch }} for commit ${{ github.event.client_payload.sha }} in repository ${{ github.event.client_payload.repository }}"
# SLACK_USERNAME: liquibot
# SLACK_WEBHOOK: ${{ secrets.NIGHTLY_BUILDS_SLACK_WEBHOOK }}
# SLACK_ICON_EMOJI: ":whale:"
# SLACK_FOOTER: "${{ github.event.client_payload.repository }}"
# SLACK_LINK_NAMES: true
- name: Upload Scout scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scout-results.sarif'
category: '${{ matrix.image.name }}'
- name: Generate Security Report
if: always()
uses: rsdmike/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
outputDir: ./reports/
sarifReportDir: .
- name: Upload Security Report
if: always()
uses: actions/upload-artifact@v3
with:
name: security-report
path: ./reports/scout-summary.pdf