feat(2692): scan images for vulnerabilties and show output

bcgov · Oct 23, 2024 · f81e1a6 · f81e1a6
2 parents 4eae401 + 6e4fc5b
commit f81e1a6
Show file tree

Hide file tree

Showing 5 changed files with 115 additions and 2 deletions.
diff --git a/.github/actions/scan-docker-image/action.yml b/.github/actions/scan-docker-image/action.yml
@@ -0,0 +1,27 @@
+name: Trivy Scan Action
+description: Scan Docker images using Trivy and upload results.
+inputs:
+  image:
+    description: A docker image
+    required: true
+  category:
+    description: Unique category for the SARIF upload
+    required: true
+
+runs:
+  using: composite
+  steps:
+  - name: Run Trivy vulnerability scanner
+    uses: aquasecurity/trivy-action@0.28.0
+    with:
+      image-ref: ${{ inputs.image }}
+      format: sarif
+      output: trivy-results-${{ inputs.image }}.sarif
+      vuln-type: os,library
+      severity: CRITICAL,HIGH
+
+  - name: Upload Trivy scan results to GitHub Security tab
+    uses: github/codeql-action/upload-sarif@v3
+    with:
+      sarif_file: trivy-results-${{ inputs.image }}.sarif
+      category: ${{ inputs.category }}
diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -218,3 +218,52 @@ jobs:
           {
             "text": ":warning: Deployment to Prod failed! [Investigate here](https://github.com/bcgov/platform-services-registry/)"
           }
+
+  scan-images-for-vulnerabilities:
+    needs: [deploy]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      actions: read
+      security-events: write
+
+    steps:
+    - name: Log in to ghcr
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    - name: App
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc:${{ github.sha }}
+        category: bcgov/pltsvc-scan
+
+    - name: Pre-prisma
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc-pre-prisma:${{ github.sha }}
+        category: bcgov/pltsvc-pre-prisma-scan
+
+    - name: Pre-data-migrations
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc-pre-data-migrations:${{ github.sha }}
+        category: bcgov/pltsvc-pre-data-migrations-scan
+
+    - name: Email
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc-email:${{ github.sha }}
+        category: bcgov/pltsvc-email-scan
+
+    - name: M365proxy
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc-localdev-m365proxy:${{ github.sha }}
+        category: bcgov/pltsvc-localdev-m365proxy-scan
+
+    - name: Nats-provision
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc-localdev-nats-provision:${{ github.sha }}
+        category: bcgov/pltsvc-localdev-nats-provision-scan
diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml
@@ -176,3 +176,40 @@ jobs:
           {
             "text": ":warning: Deployment to Test failed! [Investigate here](https://github.com/bcgov/platform-services-registry/)"
           }
+
+  scan-images-for-vulnerabilities:
+    needs: [deploy]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      actions: read
+      security-events: write
+
+    steps:
+    - name: Log in to ghcr
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+    - name: App
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc:${{ github.sha }}
+        category: bcgov/pltsvc-scan
+
+    - name: Pre-prisma
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc-pre-prisma:${{ github.sha }}
+        category: bcgov/pltsvc-pre-prisma-scan
+
+    - name: Pre-data-migrations
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc-pre-data-migrations:${{ github.sha }}
+        category: bcgov/pltsvc-pre-data-migrations-scan
+
+    - name: Email
+      uses: ./.github/actions/scan-docker-image
+      with:
+        image: ${{ env.GITHUB_REGISTRY }}/bcgov/pltsvc-email:${{ github.sha }}
+        category: bcgov/pltsvc-email-scan
diff --git a/.github/workflows/terraform-keycloak.yml b/.github/workflows/terraform-keycloak.yml
@@ -26,7 +26,7 @@ jobs:
     - uses: actions/checkout@163217dfcd28294438ea1c1c149cfaf66eec283e
 
     - name: Setup Terraform
-      uses: hashicorp/setup-terraform@4b8e29db070e511fc9f67a42cf566d74cfc83c24
+      uses: hashicorp/setup-terraform@273780a33501d0a4096ef3dc6faca1456be1cb83
       with:
         terraform_version: ${{ env.TF_VERSION }}
 

diff --git a/.github/workflows/terraform-sysdig.yml b/.github/workflows/terraform-sysdig.yml
@@ -26,7 +26,7 @@ jobs:
     - uses: actions/checkout@163217dfcd28294438ea1c1c149cfaf66eec283e
 
     - name: Setup Terraform
-      uses: hashicorp/setup-terraform@4b8e29db070e511fc9f67a42cf566d74cfc83c24
+      uses: hashicorp/setup-terraform@273780a33501d0a4096ef3dc6faca1456be1cb83
       with:
         terraform_version: ${{ env.TF_VERSION }}