From bb1fc3034f874fc3fc4a311de29394bc3f048183 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Wed, 24 Sep 2025 21:20:52 -0400 Subject: [PATCH 1/8] Add job trivy --- .github/workflows/main.yml | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bbe4fc0..c3dea17 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -96,4 +96,34 @@ jobs: with: image: demo-app:local artifact-name: sbom.spdx.json # queda como artefacto del job - \ No newline at end of file + # ────────────────────────────────────────────────────────────────────────────── + # Trivy + Firma/Verify (cosign) + # ────────────────────────────────────────────────────────────────────────────── + container_scan: + name: Container & deps scan (Trivy) + runs-on: self-hosted + needs: [build] + steps: + - name: Trivy image (CRITICAL,HIGH) + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: image + image-ref: ${IMAGE_NAME}:${IMAGE_TAG} + format: sarif + output: trivy-image.sarif + ignore-unfixed: true + severity: CRITICAL,HIGH + - uses: github/codeql-action/upload-sarif@v3 + with: { sarif_file: trivy-image.sarif } + + # - name: Trivy fs (SCA sobre el repo) + # uses: aquasecurity/trivy-action@0.28.0 + # with: + # scan-type: fs + # scan-ref: . + # format: sarif + # output: trivy-fs.sarif + # ignore-unfixed: true + # severity: CRITICAL,HIGH + # - uses: github/codeql-action/upload-sarif@v3 + # with: { sarif_file: trivy-fs.sarif } \ No newline at end of file From bac9f2f0ed2caff18ffecd0d0205c9b946a0fcc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Wed, 24 Sep 2025 21:24:24 -0400 Subject: [PATCH 2/8] Add job trivy --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c3dea17..41179ff 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -108,7 +108,7 @@ jobs: uses: aquasecurity/trivy-action@0.28.0 with: scan-type: image - image-ref: ${IMAGE_NAME}:${IMAGE_TAG} + image-ref: demo-app:local format: sarif output: trivy-image.sarif ignore-unfixed: true From 6cfbc96c5ccd501e07f01814c8901161ccdb6a67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Wed, 24 Sep 2025 21:28:04 -0400 Subject: [PATCH 3/8] Add job trivy --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 41179ff..5e4842e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -108,7 +108,7 @@ jobs: uses: aquasecurity/trivy-action@0.28.0 with: scan-type: image - image-ref: demo-app:local + image-ref: localhost/demo-app:local format: sarif output: trivy-image.sarif ignore-unfixed: true From a04427322461c5b8557113835167b93e27ae60fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Wed, 24 Sep 2025 21:33:34 -0400 Subject: [PATCH 4/8] Add job trivy --- .github/workflows/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5e4842e..961fbc1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -89,12 +89,10 @@ jobs: run: | cd "${APP_DIR}" docker build -t ${IMAGE_NAME}:${IMAGE_TAG} . - echo ${IMAGE_NAME} - echo ${IMAGE_TAG} - name: SBOM (Syft) uses: anchore/sbom-action@v0 with: - image: demo-app:local + image: localhost/demo-app:local artifact-name: sbom.spdx.json # queda como artefacto del job # ────────────────────────────────────────────────────────────────────────────── # Trivy + Firma/Verify (cosign) From 1a252e9ce0bb563e0132d01b6e11286f294cc70d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Wed, 24 Sep 2025 21:36:44 -0400 Subject: [PATCH 5/8] Add job trivy --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 961fbc1..3681d09 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -92,7 +92,7 @@ jobs: - name: SBOM (Syft) uses: anchore/sbom-action@v0 with: - image: localhost/demo-app:local + image: demo-app:local artifact-name: sbom.spdx.json # queda como artefacto del job # ────────────────────────────────────────────────────────────────────────────── # Trivy + Firma/Verify (cosign) @@ -106,7 +106,7 @@ jobs: uses: aquasecurity/trivy-action@0.28.0 with: scan-type: image - image-ref: localhost/demo-app:local + image-ref: demo-app:local format: sarif output: trivy-image.sarif ignore-unfixed: true From aba73dfa48adcb6671df742bc2ef3552668ba9fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Wed, 24 Sep 2025 21:42:36 -0400 Subject: [PATCH 6/8] Add job trivy --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3681d09..817331e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -105,7 +105,7 @@ jobs: - name: Trivy image (CRITICAL,HIGH) uses: aquasecurity/trivy-action@0.28.0 with: - scan-type: image + scan-type: fs image-ref: demo-app:local format: sarif output: trivy-image.sarif From 11476d48bed395fc5ab791ad4932ef507def605c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Wed, 24 Sep 2025 21:43:51 -0400 Subject: [PATCH 7/8] Add job trivy --- .github/workflows/main.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 817331e..1598316 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -102,26 +102,26 @@ jobs: runs-on: self-hosted needs: [build] steps: - - name: Trivy image (CRITICAL,HIGH) - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: fs - image-ref: demo-app:local - format: sarif - output: trivy-image.sarif - ignore-unfixed: true - severity: CRITICAL,HIGH - - uses: github/codeql-action/upload-sarif@v3 - with: { sarif_file: trivy-image.sarif } - - # - name: Trivy fs (SCA sobre el repo) + # - name: Trivy image (CRITICAL,HIGH) # uses: aquasecurity/trivy-action@0.28.0 # with: # scan-type: fs - # scan-ref: . + # image-ref: demo-app:local # format: sarif - # output: trivy-fs.sarif + # output: trivy-image.sarif # ignore-unfixed: true # severity: CRITICAL,HIGH # - uses: github/codeql-action/upload-sarif@v3 - # with: { sarif_file: trivy-fs.sarif } \ No newline at end of file + # with: { sarif_file: trivy-image.sarif } + + - name: Trivy fs (SCA sobre el repo) + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: fs + scan-ref: . + format: sarif + output: trivy-fs.sarif + ignore-unfixed: true + severity: CRITICAL,HIGH + - uses: github/codeql-action/upload-sarif@v3 + with: { sarif_file: trivy-fs.sarif } \ No newline at end of file From d3ccf77cfcd280754f0d355cd9f79e8396c4038b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20Castrill=C3=B3n?= Date: Wed, 24 Sep 2025 21:51:34 -0400 Subject: [PATCH 8/8] Add job trivy --- .github/workflows/main.yml | 41 +++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1598316..3996bcb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -124,4 +124,43 @@ jobs: ignore-unfixed: true severity: CRITICAL,HIGH - uses: github/codeql-action/upload-sarif@v3 - with: { sarif_file: trivy-fs.sarif } \ No newline at end of file + with: { sarif_file: trivy-fs.sarif } + + # sign: + # name: Supply chain gate (cosign sobre SBOM) + # runs-on: self-hosted + # needs: [container_scan] + # env: + # COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + # steps: + # - uses: actions/checkout@v4 + # - name: Instalar cosign + # run: | + # COSIGN_URL="https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" + # curl -sSLf "$COSIGN_URL" -o /usr/local/bin/cosign + # chmod +x /usr/local/bin/cosign + # - name: Generar claves (si no existen) + # run: | + # test -f cosign.key || cosign generate-key-pair + # - name: Descargar SBOM del job anterior + # uses: actions/download-artifact@v4 + # with: + # name: sbom.spdx.json + # path: . + # - name: Firmar SBOM (sign-blob) + # run: cosign sign-blob --yes --key cosign.key sbom.spdx.json <<< "$COSIGN_PASSWORD" + # - name: Verificar firma del SBOM (gate) + # run: cosign verify-blob --key cosign.pub --signature sbom.spdx.json.sig sbom.spdx.json + + # ── Alternativa (comentada) si publicas la imagen en GHCR y quieres firmar la imagen: + # - name: Login GHCR + # run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin + # - name: Push a GHCR + # run: | + # export IMG="ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ github.sha }}" + # docker tag ${IMAGE_NAME}:${IMAGE_TAG} "$IMG" + # docker push "$IMG" + # - name: Sign imagen en GHCR + # run: cosign sign --yes --key cosign.key "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ github.sha }}" <<< "$COSIGN_PASSWORD" + # - name: Verify imagen (gate) + # run: cosign verify --key cosign.pub "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ github.sha }}" \ No newline at end of file