Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added trivy scan on production image #33

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added trivy scan on production image #33

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions .github/workflows/security_trivy_prod_image_scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: Security trivy dependency check

on:
workflow_call:
inputs:
channel_id:
description: 'The slack channel ID to send a message on failure. If this is not provided then no message is sent.'
required: false
default: 'NO_SLACK'
type: string
subproject:
description: 'For gradle multi module projects, leave blank for single module projects'
required: false
default: ''
type: string
secrets:
HMPPS_SRE_SLACK_BOT_TOKEN:
description: 'Slack bot token'
required: false

permissions:
contents: read

jobs:
get_production_image_details:
name: Get production image details from Service Catalogue
runs-on: [self-hosted, hmpps-github-actions-runner]
steps:
- name: Get Json data from curl
id: json_data
run:
OUTPUT=$(curl -X GET \
-g "https://service-catalogue-dev.hmpps.service.justice.gov.uk/v1/components?populate=environment&filters[name][$contains]=hmpps-developer-portal")
echo "::set-output name=receipt_handle::$OUTPUT"
- name: Print output
run:
echo "id= ${{ steps.request.outputs.id }}"
echo "name= ${{ steps.request.outputs.name }}""



# security-trivy-check:
# name: Security trivy dependency check
# runs-on: ubuntu-latest
# permissions:
# security-events: write
# steps:
# - uses: actions/checkout@v4
# - name: Trivy Image Vulnerability Scanner
# id: trivy-analyse
# uses: aquasecurity/trivy-action@b5f4977b78f81fa3d48865ff0efcc6e279210235 # v0.50.2
# with:
# image-ref: "quay.io/hmpps/${{ inputs.subproject == '' && github.event.repository.name || inputs.subproject}}:latest"
# severity: 'HIGH,CRITICAL'
# ignore-unfixed: true
# skip-files: /app/agent.jar
# format: 'sarif'
# output: 'trivy-results.sarif'
# exit-code: 1
# limit-severities-for-sarif: true
# continue-on-error: true
# - name: Trivy upload sarif
# id: trivy-upload
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: 'trivy-results.sarif'
# category: trivy-dependency-check
# - name: Trivy slack notification
# uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_codescan_notification@v1 # WORKFLOW_VERSION
# if: (failure() || steps.trivy-analyse.outcome == 'failure') && inputs.channel_id != 'NO_SLACK'
# with:
# title: "Trivy"
# warningOnly: ${{ steps.trivy-upload.outcome == 'success' }}
# channel_id: ${{ inputs.channel_id}}
# SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }}
# subproject: ${{ inputs.subproject }}