Merge pull request AOT-Technologies#2480 from sethu-aot/develop

Added Trivy Action File: Container and Repository Vulnerability Scanning
Bonymol-aot · Jan 6, 2025 · dbc9ed6 · dbc9ed6
2 parents 19eb3e1 + f6596b5
commit dbc9ed6
Showing 1 changed file with 74 additions and 0 deletions.
diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
@@ -0,0 +1,74 @@
+name: trivy-scanning
+
+on:
+  push:
+    branches:
+      - develop
+  workflow_dispatch:
+
+permissions: write-all
+
+jobs:
+  repo-scan:
+    name: Trivy Repo Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  image-scans:
+    name: Trivy Image Scans
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        service:
+          - { name: "forms-flow-bpm", tag: "latest" }
+          - { name: "forms-flow-forms", tag: "latest" }
+          - { name: "forms-flow-webapi", tag: "latest" }
+          - { name: "forms-flow-web", tag: "latest" }
+          - { name: "redash", tag: "24.04.0" }
+          - { name: "forms-flow-data-analysis-api", tag: "latest" }
+          - { name: "forms-flow-documents-api", tag: "latest" }
+    steps:
+      - name: Install Trivy
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget apt-transport-https gnupg
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install -y trivy
+
+      - name: Download Trivy HTML Template
+        run: wget https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -O html.tpl
+
+      - name: Run Trivy Vulnerability Scanner
+        run: |
+          trivy image \
+          --template @html.tpl \
+          --format template \
+          --vuln-type os,library \
+          --severity CRITICAL,HIGH,MEDIUM \
+          --scanners vuln,secret,misconfig,license \
+          --output trivy-${{ matrix.service.name }}-results.html \
+          docker.io/formsflow/${{ matrix.service.name }}:${{ matrix.service.tag }}
+
+      - name: Upload Trivy Image Scan Results
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy-${{ matrix.service.name }}-results
+          path: trivy-${{ matrix.service.name }}-results.html