From 44a4f40e075ebbddc2678258ec3f4a99bdca2dce Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 18 Apr 2024 17:59:31 -0300 Subject: [PATCH 1/5] Add vulnerability scanning --- .github/workflows/scheduled-security-scan.yml | 27 +++++++++++++ .github/workflows/security-scan.yml | 39 +++++++++++++++++++ source/Dockerfile | 1 + 3 files changed, 67 insertions(+) create mode 100644 .github/workflows/scheduled-security-scan.yml create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml new file mode 100644 index 0000000..260bc03 --- /dev/null +++ b/.github/workflows/scheduled-security-scan.yml @@ -0,0 +1,27 @@ +name: Scheduled vulnerability scanning +on: + schedule: + - cron: '35 6 * * 2' + workflow_dispatch: +jobs: + vulnerability-scan: + permissions: + contents: read + security-events: write + name: Scheduled scan for vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ github.repository_owner }}/gs64:latest + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + limit-severities-for-sarif: true + ignore-unfixed: true + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..746f678 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,39 @@ +name: Vulnerability scan +on: + push: + branches: + - release-candidate + pull_request: + # The branches below must be a subset of the branches above + branches: + - release-candidate + workflow_dispatch: +jobs: + vulnerability-scan: + permissions: + contents: read + security-events: write + name: Scan for vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t ghcr.io/${{ github.repository_owner }}/gs64:${{ github.sha }} ./source/ + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.sha }} + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + limit-severities-for-sarif: true + ignore-unfixed: true + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' diff --git a/source/Dockerfile b/source/Dockerfile index d79680e..9b76e81 100644 --- a/source/Dockerfile +++ b/source/Dockerfile @@ -15,6 +15,7 @@ ENV GS_UID=1001 ENV GS_GID=100 RUN apt-get update \ + && apt-get upgrade -y; \ && apt-get install --assume-yes --no-install-recommends \ ca-certificates \ gosu \ From 2a755bed2402cfeaa20496b522295a0f157b9184 Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 18 Apr 2024 18:00:45 -0300 Subject: [PATCH 2/5] Fix typo in dockerfile --- source/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Dockerfile b/source/Dockerfile index 9b76e81..669f3c5 100644 --- a/source/Dockerfile +++ b/source/Dockerfile @@ -15,7 +15,7 @@ ENV GS_UID=1001 ENV GS_GID=100 RUN apt-get update \ - && apt-get upgrade -y; \ + && apt-get upgrade -y \ && apt-get install --assume-yes --no-install-recommends \ ca-certificates \ gosu \ From 2c6a6bfc181c4d98ef1228e2889e986705934679 Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 18 Apr 2024 18:06:07 -0300 Subject: [PATCH 3/5] Include vulnerability scan in the docker build step --- .github/workflows/docker-build.yml | 19 ++++++++++++++ .github/workflows/security-scan.yml | 39 ----------------------------- 2 files changed, 19 insertions(+), 39 deletions(-) delete mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 579b5ef..cdabe6c 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -12,6 +12,9 @@ on: jobs: build_and_publish: name: Build and Publish Docker images + permissions: + contents: read + security-events: write runs-on: ubuntu-latest strategy: matrix: @@ -108,3 +111,19 @@ jobs: tags: ${{ steps.docker_meta_runtime_gem.outputs.tags }} labels: ${{ steps.docker_meta_runtime_gem.outputs.labels }} secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }} + + # Scan for vulnerabilities + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.sha }} + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + limit-severities-for-sarif: true + ignore-unfixed: true + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml deleted file mode 100644 index 746f678..0000000 --- a/.github/workflows/security-scan.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: Vulnerability scan -on: - push: - branches: - - release-candidate - pull_request: - # The branches below must be a subset of the branches above - branches: - - release-candidate - workflow_dispatch: -jobs: - vulnerability-scan: - permissions: - contents: read - security-events: write - name: Scan for vulnerabilities - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Build an image from Dockerfile - run: | - docker build -t ghcr.io/${{ github.repository_owner }}/gs64:${{ github.sha }} ./source/ - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.sha }} - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - limit-severities-for-sarif: true - ignore-unfixed: true - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' From 563f0688e67489b2a525cfe8c7c6f59133cd5f5c Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 18 Apr 2024 18:19:36 -0300 Subject: [PATCH 4/5] Fix vuln scan --- .github/workflows/docker-build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index cdabe6c..f012604 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -115,8 +115,9 @@ jobs: # Scan for vulnerabilities - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master + if: ${{ github.event_name != 'pull_request' }} with: - image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.sha }} + image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.ref_name }} format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' @@ -125,5 +126,6 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 + if: ${{ github.event_name != 'pull_request' }} with: sarif_file: 'trivy-results.sarif' \ No newline at end of file From 54de1d604c6f5224248952755d520dfe5c40aab0 Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 18 Apr 2024 18:24:48 -0300 Subject: [PATCH 5/5] Add missing EOL --- .github/workflows/docker-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index f012604..8fcdbbc 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -128,4 +128,4 @@ jobs: uses: github/codeql-action/upload-sarif@v3 if: ${{ github.event_name != 'pull_request' }} with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + sarif_file: 'trivy-results.sarif'