From 4c734a56cb3d68fad47eb3207fce5c376cf1f9d0 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 13:32:29 -0400 Subject: [PATCH 01/16] Create trivy.yml --- .github/workflows/trivy.yml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..b3ff938b8e --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: trivy + +on: + push: + branches: [ "develop", "main-DEPRECATED", "release/*" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "develop" ] + schedule: + - cron: '19 23 * * 6' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From 8843a56c0b10f09db22ce01f79949750ec88b9e3 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 13:43:01 -0400 Subject: [PATCH 02/16] update trivy --- .github/workflows/trivy.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index b3ff938b8e..919402305b 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -29,18 +29,17 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Build an image from Dockerfile - run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@master with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + scan-type: 'fs' + scan-ref: '.' + severity: 'CRITICAL,HIGH' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' + scanners: 'vuln, config, secrets' + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From 3be457237856c6f176caa002577765d550786b01 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 13:45:52 -0400 Subject: [PATCH 03/16] update format --- .github/workflows/trivy.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 919402305b..a9dae85df8 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -35,13 +35,12 @@ jobs: scan-type: 'fs' scan-ref: '.' severity: 'CRITICAL,HIGH' - format: 'template' - template: '@/contrib/sarif.tpl' + format: 'sarif' output: 'trivy-results.sarif' scanners: 'vuln, config, secrets' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' From abfdd6ffbf0c4d73dbc3d0654822172558de05d1 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 13:47:04 -0400 Subject: [PATCH 04/16] update job name --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index a9dae85df8..6c284137bf 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -18,12 +18,12 @@ permissions: contents: read jobs: - build: + SAST: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build + name: SAST runs-on: "ubuntu-20.04" steps: - name: Checkout code From f22108905f0ee94c750a79680dc8bfd1bdc7c9ee Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 13:51:45 -0400 Subject: [PATCH 05/16] update trivy config --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6c284137bf..57e23d866b 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -33,8 +33,8 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'fs' - scan-ref: '.' severity: 'CRITICAL,HIGH' + ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' scanners: 'vuln, config, secrets' From 8e2a7dbe88d303450ccb7ee709c923936bfc262e Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 13:54:39 -0400 Subject: [PATCH 06/16] add my branch --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 57e23d866b..45d3c7837a 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -7,7 +7,7 @@ name: trivy on: push: - branches: [ "develop", "main-DEPRECATED", "release/*" ] + branches: [ "add-trivy-to-ci", "develop", "main-DEPRECATED", "release/*" ] pull_request: # The branches below must be a subset of the branches above branches: [ "develop" ] From e55a3e6eb39e5aad6b7015f6d1caa7e79ea76061 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 13:58:56 -0400 Subject: [PATCH 07/16] try output as table --- .github/workflows/trivy.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 45d3c7837a..54da987eef 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -7,7 +7,7 @@ name: trivy on: push: - branches: [ "add-trivy-to-ci", "develop", "main-DEPRECATED", "release/*" ] + branches: [ "develop", "main-DEPRECATED", "release/*" ] pull_request: # The branches below must be a subset of the branches above branches: [ "develop" ] @@ -36,11 +36,12 @@ jobs: severity: 'CRITICAL,HIGH' ignore-unfixed: true format: 'sarif' - output: 'trivy-results.sarif' + # output: 'trivy-results.sarif' + output: 'table' scanners: 'vuln, config, secrets' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: 'trivy-results.sarif' From b7e23720ff683e578701543b4fff8ec343de7969 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 14:00:49 -0400 Subject: [PATCH 08/16] change output to table --- .github/workflows/trivy.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 54da987eef..7f4538441e 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -3,7 +3,7 @@ # separate terms of service, privacy policy, and support # documentation. -name: trivy +name: Code Scanning on: push: @@ -23,7 +23,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: SAST + name: Trivy SAST Scan runs-on: "ubuntu-20.04" steps: - name: Checkout code @@ -34,8 +34,8 @@ jobs: with: scan-type: 'fs' severity: 'CRITICAL,HIGH' - ignore-unfixed: true - format: 'sarif' + # ignore-unfixed: true + # format: 'sarif' # output: 'trivy-results.sarif' output: 'table' scanners: 'vuln, config, secrets' From e78bb48e2a6f87fbb24d7d188ba0dd0f57116429 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 14:02:48 -0400 Subject: [PATCH 09/16] update scanners --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 7f4538441e..422c87ebe4 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -38,7 +38,7 @@ jobs: # format: 'sarif' # output: 'trivy-results.sarif' output: 'table' - scanners: 'vuln, config, secrets' + scanners: 'vuln,secret,config' # - name: Upload Trivy scan results to GitHub Security tab From 59009fe98dd910a6404bec96b043a41f728bacd6 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 14:05:42 -0400 Subject: [PATCH 10/16] change to config scan --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 422c87ebe4..138b2f46c2 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -32,13 +32,13 @@ jobs: - name: Run Trivy vulnerability scanner in fs mode uses: aquasecurity/trivy-action@master with: - scan-type: 'fs' + scan-type: 'config' severity: 'CRITICAL,HIGH' # ignore-unfixed: true # format: 'sarif' # output: 'trivy-results.sarif' output: 'table' - scanners: 'vuln,secret,config' + # scanners: 'vuln,secret,config' # - name: Upload Trivy scan results to GitHub Security tab From c6ccd9ea198f9f3d11be4be88ac49a3d35624035 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 14:11:28 -0400 Subject: [PATCH 11/16] use example values --- .github/workflows/trivy.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 138b2f46c2..4f0ac49c1e 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -23,7 +23,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Trivy SAST Scan + name: Trivy config Scan runs-on: "ubuntu-20.04" steps: - name: Checkout code @@ -33,15 +33,15 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'config' + hide-progress: true + format: 'sarif' + output: 'trivy-results.sarif' + exit-code: '1' + ignore-unfixed: true severity: 'CRITICAL,HIGH' - # ignore-unfixed: true - # format: 'sarif' - # output: 'trivy-results.sarif' - output: 'table' - # scanners: 'vuln,secret,config' - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v3 - # with: - # sarif_file: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' From efaacbee367bbbb8728574f1637c9d51887fe0ec Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 14:14:08 -0400 Subject: [PATCH 12/16] upload even on non zero exit --- .github/workflows/trivy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 4f0ac49c1e..9423b38ada 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -43,5 +43,6 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 + if: always() with: sarif_file: 'trivy-results.sarif' From 34e9660cae6e742eb4d2456fc8cda4902352005a Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 15:09:46 -0400 Subject: [PATCH 13/16] remove exit code --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 9423b38ada..070fb0b3f7 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -32,13 +32,13 @@ jobs: - name: Run Trivy vulnerability scanner in fs mode uses: aquasecurity/trivy-action@master with: - scan-type: 'config' + scan-type: 'fs' hide-progress: true format: 'sarif' output: 'trivy-results.sarif' - exit-code: '1' ignore-unfixed: true severity: 'CRITICAL,HIGH' + scanners: 'config' - name: Upload Trivy scan results to GitHub Security tab From 5d892881fd2d6aaeee3584ef9f8d6cd6bd3f9caf Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 15:16:01 -0400 Subject: [PATCH 14/16] try full scan --- .github/workflows/trivy.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 070fb0b3f7..d122dba0e0 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -38,8 +38,7 @@ jobs: output: 'trivy-results.sarif' ignore-unfixed: true severity: 'CRITICAL,HIGH' - scanners: 'config' - + scanners: 'vuln,secret,config' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From 3a5f48655c9c3d032a51a12bc94fe061c3123039 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 9 May 2024 15:42:22 -0400 Subject: [PATCH 15/16] go back to config scan --- .github/workflows/trivy.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index d122dba0e0..28e0551688 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -32,13 +32,12 @@ jobs: - name: Run Trivy vulnerability scanner in fs mode uses: aquasecurity/trivy-action@master with: - scan-type: 'fs' + scan-type: 'config' hide-progress: true format: 'sarif' output: 'trivy-results.sarif' ignore-unfixed: true severity: 'CRITICAL,HIGH' - scanners: 'vuln,secret,config' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From 1d8e3ec9daa2496da37ed6942d037582aead81b6 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 23 May 2024 12:44:33 -0500 Subject: [PATCH 16/16] Update .github/workflows/trivy.yml Co-authored-by: Vinicius D. Cerutti <51954708+viniciusdc@users.noreply.github.com> --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 28e0551688..2a8bf120fa 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -7,7 +7,7 @@ name: Code Scanning on: push: - branches: [ "develop", "main-DEPRECATED", "release/*" ] + branches: [ "develop", "release/*" ] pull_request: # The branches below must be a subset of the branches above branches: [ "develop" ]