Merge pull request #1 from k-s-dean/feat/trivy-image-scanning

Trivy scanning
k-s-dean · Mar 2, 2023 · f323753 · f323753
2 parents b482ffb + 75c2a7d
commit f323753
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -18,6 +18,11 @@ on:
         type: boolean
         required: false
         default: false
+      scan_images:
+        description: Scan images?
+        type: boolean
+        required: false
+        default: false
       distro:
         description: Container image OS distribution
         type: choice
@@ -52,6 +57,10 @@ jobs:
         run: |
           sudo dnf -y install python3-virtualenv
 
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3
+
       - name: Setup networking
         run: |
           if ! ip l show breth1 >/dev/null 2>&1; then
@@ -117,6 +126,33 @@ jobs:
           sudo docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/*:$(cat ~/kolla_tag)" > overcloud-container-images
         if: github.event.inputs.overcloud == 'true'
 
+      - name: Generate the images to scan
+        run: |
+          sudo docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/*:$(cat ~/kolla_tag)" --format "{{.Repository}}:{{.Tag}}" > images-to-scan.txt
+        if: ${{ (github.event.inputs.overcloud == 'true') && (github.event.inputs.scan == 'true') }}
+
+      - name: Scan built overcloud container images
+        run: |
+          cat /home/images-to-scan.txt | while read i; do
+          echo $i
+          trivy image --format sarif --severity HIGH,CRITICAL $i >> trivy-results.sarif
+          done
+        if: ${{ (github.event.inputs.overcloud == 'true') && (github.event.inputs.scan == 'true') }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+        if: ${{ (github.event.inputs.overcloud == 'true') && (github.event.inputs.scan == 'true') }}
+
+      # - name: Upload scan output artefact
+      #   uses: actions/upload-artifact@v3
+      #   with:
+      #     name: Trivy Scan txt
+      #     path: scan.txt
+      #     retention-days: 7
+      #   if: ${{ (github.event.inputs.overcloud == 'true') && (github.event.inputs.scan == 'true') }}
+
       - name: Upload overcloud-container-images artifact
         uses: actions/upload-artifact@v3
         with: