forked from wiremock/wiremock
-
Notifications
You must be signed in to change notification settings - Fork 33
80 lines (76 loc) · 2.73 KB
/
docker-image-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: docker-image-scan
on:
workflow_dispatch:
jobs:
scan:
name: Build
runs-on: ubuntu-latest
outputs:
result: ${{ steps.trivy-result.outputs.result }}
version: ${{ steps.last_release.outputs.version }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Extract latest release
id: last_release
uses: pozetroninc/github-action-get-latest-release@master
with:
token: ${{ github.token }}
repository: ${{ github.repository }}
- name: Extract version
run: |
tag=${{ steps.last_release.outputs.release }}
version=${tag%-*}
echo "version=${version}" >> $GITHUB_OUTPUT
- id: trivy-db
name: Check trivy db sha
env:
GH_TOKEN: ${{ github.token }}
run: |
endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
headers='Accept: application/vnd.github+json'
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
echo "Trivy DB sha256:${sha}"
echo "sha=${sha}" >> $GITHUB_OUTPUT
- id: ignore-policies
name: Ignore some policies
run: |
cat > .trivyignore << EOL
# Ignore gosu issue. They say they are not affected. Issue will be removed as soon
# as wiremock image updates to a newer gosu version, which removed runc.
#CVE-2023-27561
EOL
- uses: actions/cache@v3
with:
path: .trivy
key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/holomekc/wiremock-gui'
format: 'json'
exit-code: '0'
output: result.json
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
hide-progress: true
cache-dir: .trivy
- name: Fix .trivy permissions
run: sudo chown -R $(stat . -c %u:%g) .trivy
- name: Check result
id: trivy-result
run: |
jq -e 'select((.Results[].Vulnerabilities | length) > 0)' result.json && code=$? || code=$?
echo "result=${code}" >> $GITHUB_OUTPUT
docker:
needs: [scan]
# Looks strange, but 0=Vulnerabilities found
if: ${{ needs.scan.outputs.result == 0 }}
uses: ./.github/workflows/docker-release.yml
with:
version: ${{ needs.scan.outputs.version == 0 }}
secrets:
dockerUsername: ${{ secrets.DOCKERHUB_USERNAME }}
dockerToken: ${{ secrets.DOCKERHUB_TOKEN }}