From e401cabadee7cbfa279be9548370f6159fb97579 Mon Sep 17 00:00:00 2001 From: holomekc <30546982+holomekc@users.noreply.github.com> Date: Mon, 1 Apr 2024 06:09:17 +0200 Subject: [PATCH] docker-image-scan.yml aktualisieren --- .github/workflows/docker-image-scan.yml | 57 +++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-image-scan.yml b/.github/workflows/docker-image-scan.yml index e2323a9ef6..910cee3c74 100644 --- a/.github/workflows/docker-image-scan.yml +++ b/.github/workflows/docker-image-scan.yml @@ -10,6 +10,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.trivy-result.outputs.result }} + result-alpine: ${{ steps.trivy-result-alpine.outputs.result }} version: ${{ steps.extract-version.outputs.version }} steps: - name: Checkout code @@ -59,7 +60,7 @@ jobs: - name: Run Trivy json result uses: aquasecurity/trivy-action@0.19.0 with: - image-ref: 'docker.io/holomekc/wiremock-gui' + image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}' format: 'json' exit-code: '0' output: trivy-result.json @@ -71,7 +72,7 @@ jobs: - name: Run Trivy sarif result uses: aquasecurity/trivy-action@0.19.0 with: - image-ref: 'docker.io/holomekc/wiremock-gui' + image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}' format: 'sarif' exit-code: '0' output: trivy-result.sarif @@ -84,7 +85,7 @@ jobs: - name: Run Trivy sbom result uses: aquasecurity/trivy-action@0.19.0 with: - image-ref: 'docker.io/holomekc/wiremock-gui' + image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}' format: 'github' exit-code: '0' output: dependency-results.sbom.json @@ -94,6 +95,44 @@ jobs: hide-progress: true cache-dir: .trivy github-pat: ${{ secrets.GITHUB_TOKEN }} + - name: Run Trivy json result + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}-alpine' + format: 'json' + exit-code: '0' + output: trivy-result-alpine.json + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + hide-progress: true + cache-dir: .trivy + - name: Run Trivy sarif result + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}-alpine' + format: 'sarif' + exit-code: '0' + output: trivy-result-alpine.sarif + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + limit-severities-for-sarif: true + hide-progress: true + cache-dir: .trivy + - name: Run Trivy sbom result + uses: aquasecurity/trivy-action@0.19.0 + with: + image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}-alpine' + format: 'github' + exit-code: '0' + output: dependency-results-alpine.sbom.json + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + hide-progress: true + cache-dir: .trivy + github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Fix .trivy permissions run: sudo chown -R $(stat . -c %u:%g) .trivy @@ -107,6 +146,16 @@ jobs: echo "result=${code}" >> $GITHUB_OUTPUT cat trivy-result.sarif + - name: Check result + id: trivy-result-alpine + shell: bash + run: | + #!/bin/bash + cat trivy-result-alpine.json + jq -e 'select((.Results[].Vulnerabilities | length) > 0)' trivy-result-alpine.json && code=$? || code=$? + echo "result=${code}" >> $GITHUB_OUTPUT + cat trivy-result-alpine.sarif + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: @@ -115,7 +164,7 @@ jobs: docker: needs: [scan] # Looks strange, but 0=Vulnerabilities found - if: ${{ needs.scan.outputs.result == 0 }} + if: ${{ needs.scan.outputs.result == 0 || needs.scan.outputs.result-alpine == 0 }} uses: ./.github/workflows/docker-release.yml with: version: ${{ needs.scan.outputs.version }}