-
Notifications
You must be signed in to change notification settings - Fork 35
71 lines (57 loc) · 2.66 KB
/
check-cves.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
---
name: Check CVEs
on:
schedule:
# At 00:00
- cron: '0 0 * * *'
env:
GH_TOKEN: ${{ github.token }}
jobs:
check-images:
name: Check & Upload CVEs
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v4
- name: Setup jq
uses: dcarbone/[email protected]
with:
version: '1.7'
force: true
- name: Check CVEs
run: |
# login
docker login -u ${{ secrets.DOCKER_LOGIN }} -p ${{ secrets.DOCKER_PASSWORD }}
# install docker scout
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
# collect CVEs from all images in apps folder
mkdir cves
grep -roh 'apps' -e "ghcr\.io\/networkservicemesh\/ci\/.*:.*" | while read -r image ; do
filename=$(echo $image | awk -F/ '{print $NF}' | awk -F: '{print $1F}')
docker scout cves $image --format sarif --output cves/$filename.json
# set the location of the CVE
echo $(jq --arg img "$image" '.runs.[].results.[].locations.[].physicalLocation.artifactLocation.uri = $img' \
cves/$filename.json) > cves/$filename.json
# clear all other locations (they are useless anyway)
echo $(jq '.runs[0].results.[].locations |= [.[0]]' cves/$filename.json) > cves/$filename.json
done
# collect all CVEs files
files=""
for file in cves/*; do
files="${files} $file"
done
jq '.runs[].results += [inputs.runs[].results.[]]' $files > temp.json
jq '.runs[].tool.driver.rules += [inputs.runs[].tool.driver.rules[]]' temp.json $files > merged.json
jq '.runs[].tool.driver.rules |= unique_by(.id)' merged.json > unique.json
jq '.runs[].results | group_by(.ruleId)' unique.json > group_by.json
jq 'map(.[0].message.text =
reduce .[] as $cve (""; . += $cve.locations[0].physicalLocation.artifactLocation.uri + "\n") +
.[0].message.text) | [.[][0]]' group_by.json > reduced.json
jq '.runs[].results = input' unique.json reduced.json > final.json
jq 'reduce .runs[].results[] as $cve ({}; .[$cve.ruleId] += 1) ' final.json > count.json
jq --arg sha ${GITHUB_SHA} '.runs[].results[].locations[].physicalLocation.artifactLocation.uri
= "github.com/networkservicemesh/deployments-k8s:" + $sha' final.json > results.json
- name: Upload CVEs
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.json