diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index ea1fe8df7..c65756004 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -1,5 +1,6 @@ name: Docker Image Scanners on: + workflow_dispatch: push: branches: - "master" @@ -8,32 +9,70 @@ on: pull_request: branches: - "master" - merge_group: + +permissions: + contents: read + security-events: write jobs: scanners: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Env id: vars shell: bash run: | - echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" + # Store values in local variables + SHA_SHORT=$(git rev-parse --short HEAD) + REPO_NAME=${{ github.event.repository.name }} + + # Append -sqlite to SHA_SHORT if repo is hydra + if [ "${REPO_NAME}" = "hydra" ]; then + echo "Repo is hydra, appending -sqlite to SHA_SHORT" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite" + else + echo "Repo is not hydra, using default IMAGE_NAME" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" + fi + + # Output values for debugging + echo "Values to be set:" + echo "SHA_SHORT: ${SHA_SHORT}" + echo "REPO_NAME: ${REPO_NAME}" + echo "IMAGE_NAME: ${IMAGE_NAME}" + + # Set GitHub Environment variables + echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}" + echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}" - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build images shell: bash run: | IMAGE_TAG="${{ env.SHA_SHORT }}" make docker + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Configure Trivy + run: | + mkdir -p $HOME/.cache/trivy + echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV + echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + - name: Anchore Scanner - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v5 id: grype-scan with: - image: oryd/keto:${{ env.SHA_SHORT }} + image: ${{ env.IMAGE_NAME }} fail-build: true severity-cutoff: high add-cpes-if-none: true @@ -46,34 +85,41 @@ jobs: echo "::endgroup::" - name: Anchore upload scan SARIF report if: always() - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.grype-scan.outputs.sarif }} - # - name: Kubescape scanner - # uses: kubescape/github-action@main - # id: kubescape - # with: - # image: oryd/keto:${{ env.SHA_SHORT }} - # verbose: true - # format: pretty-printer - # # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 - # severityThreshold: critical + - name: Kubescape scanner + uses: kubescape/github-action@main + id: kubescape + with: + image: ${{ env.IMAGE_NAME }} + verbose: true + format: pretty-printer + # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 + severityThreshold: critical - name: Trivy Scanner uses: aquasecurity/trivy-action@master if: ${{ always() }} with: - image-ref: oryd/keto:${{ env.SHA_SHORT }} + image-ref: ${{ env.IMAGE_NAME }} format: "table" exit-code: "42" ignore-unfixed: true vuln-type: "os,library" severity: "CRITICAL,HIGH" - scanners: "vuln,secret,config" + scanners: "vuln,secret,misconfig" + env: + TRIVY_SKIP_JAVA_DB_UPDATE: "true" + TRIVY_DISABLE_VEX_NOTICE: "true" + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + + + - name: Dockle Linter - uses: erzz/dockle-action@v1.3.2 + uses: erzz/dockle-action@v1 if: ${{ always() }} with: - image: oryd/keto:${{ env.SHA_SHORT }} + image: ${{ env.IMAGE_NAME }} exit-code: 42 failure-threshold: high - name: Hadolint @@ -90,5 +136,5 @@ jobs: shell: bash run: | echo "::group::Hadolint Scan Details" - echo "${HADOLINT_RESULTS}" | jq '.' + echo "${HADOLINT_RESULTS}" | jq '.' echo "::endgroup::"