Vulnerability and Misconfiguration Scan #239
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) 2022 Contributors to the Eclipse Foundation | |
# | |
# See the NOTICE file(s) distributed with this work for additional | |
# information regarding copyright ownership. | |
# | |
# This program and the accompanying materials are made available under the | |
# terms of the Eclipse Public License 2.0 which is available at | |
# http://www.eclipse.org/legal/epl-2.0 | |
# | |
# SPDX-License-Identifier: EPL-2.0 | |
# | |
# Scan repository and containers for security vulnerabilities, secrets and | |
# misconfigurations. | |
name: Vulnerability and Misconfiguration Scan | |
on: | |
schedule: | |
# run every night at 4:11 AM (UTC) | |
- cron: '11 4 * * *' | |
# enable running the workflow manually | |
workflow_dispatch: | |
jobs: | |
scan: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Set up Maven | |
uses: stCarolas/[email protected] | |
with: | |
maven-version: 3.8.8 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
distribution: "temurin" | |
java-version: "17" | |
cache: "maven" | |
- name: Create Hono container images | |
run: | | |
mvn clean install -B -e -DCI=$CI -DskipTests -Pbuild-docker-image,metrics-prometheus | |
- name: Determine most recent Trivy version | |
run: | | |
echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \ | |
grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV | |
- name: Install Trivy | |
run: | | |
wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf - | |
- name: Scan Docker images | |
run: | | |
mkdir -p scans/eclipse | |
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "eclipse/hono-*"); do | |
echo "Scanning image ${IMAGE} ..." | |
./trivy image "${IMAGE}" --timeout 15m0s --ignore-unfixed --severity HIGH,CRITICAL --output "scans/$IMAGE.sarif" --format sarif | |
done | |
- name: Upload Docker image scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'scans/eclipse' | |
category: "Container Images" |