From 3197e975143b3982d5ce214996e3595f6f12bab3 Mon Sep 17 00:00:00 2001 From: Pat Date: Mon, 6 Dec 2021 08:33:07 +0000 Subject: [PATCH] Regular CVE scans using Trivy of the container. (#4393) Use the Trivy action to scan the container images for each architecture and upload the results to the code-scanning security tab in Github. It will run weekly, on push to master and can also be triggered asynchronously. It will use the latest container images at the time it is run and pulls each architecture explicitly using a local tagged alias to then scan. Signed-off-by: Patrick Stephens --- .github/workflows/cron-trivy.yaml | 87 +++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 .github/workflows/cron-trivy.yaml diff --git a/.github/workflows/cron-trivy.yaml b/.github/workflows/cron-trivy.yaml new file mode 100644 index 00000000000..27c8ca722c2 --- /dev/null +++ b/.github/workflows/cron-trivy.yaml @@ -0,0 +1,87 @@ +--- +# Separate action to allow us to initiate manually and run regularly +name: Trivy security analysis of latest containers + +# Run on every push to master, or weekly. +# Allow users to trigger an asynchronous run anytime too. +on: + push: + branches: [master] + schedule: + # 13:44 on Thursday + - cron: 44 13 * * 4 + workflow_dispatch: + +jobs: + # Run Trivy on the latest container and update the security code scanning results tab. + trivy-latest: + # Matrix job that pulls the latest image for each supported architecture via the multi-arch latest manifest. + # We then re-tag it locally to ensure that when Trivy runs it does not pull the latest for the wrong architecture. + name: ${{ matrix.arch }} container scan + runs-on: [ ubuntu-latest ] + continue-on-error: true + strategy: + fail-fast: false + # Matrix of architectures to test along with their local tags for special character substitution + matrix: + # The architecture for the container runtime to pull. + arch: [ linux/amd64, linux/arm64, linux/arm/v7 ] + # In a few cases we need the arch without slashes so provide a descriptive extra field for that. + # We could also extract or modify this via a regex but this seemed simpler and easier to follow. + include: + - arch: linux/amd64 + local_tag: x86_64 + - arch: linux/arm64 + local_tag: arm64 + - arch: linux/arm/v7 + local_tag: arm32 + steps: + - name: Log in to the Container registry + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Pull the image for the architecture we're testing + run: | + docker pull --platform ${{ matrix.arch }} fluent/fluent-bit:latest + + - name: Tag locally to ensure we do not pull wrong architecture + run: | + docker tag fluent/fluent-bit:latest local/fluent-bit:${{ matrix.local_tag }} + + # Deliberately chosen master here to keep up-to-date. + - name: Run Trivy vulnerability scanner for any major issues + uses: aquasecurity/trivy-action@master + with: + image-ref: local/fluent-bit:${{ matrix.local_tag }} + # Filter out any that have no current fix. + ignore-unfixed: true + # Only include major issues. + severity: CRITICAL,HIGH + format: template + template: '@/contrib/sarif.tpl' + output: trivy-results-${{ matrix.local_tag }}.sarif + + # Show all detected issues. + # Note this will show a lot more, including major un-fixed ones. + - name: Run Trivy vulnerability scanner for local output + uses: aquasecurity/trivy-action@master + with: + image-ref: local/fluent-bit:${{ matrix.local_tag }} + format: table + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: trivy-results-${{ matrix.local_tag }}.sarif + category: ${{ matrix.arch }} container + wait-for-processing: true + + # In case we need to analyse the uploaded files for some reason. + - name: Detain results for debug if needed + uses: actions/upload-artifact@v2 + with: + name: trivy-results-${{ matrix.local_tag }}.sarif + path: trivy-results-${{ matrix.local_tag }}.sarif + if-no-files-found: error