Trivy Security Scan on repository #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Trivy Security Scan on repository | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
schedule: | |
- cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC | |
# Below is for manual scanning | |
workflow_dispatch: | |
env: | |
FULL_SUMMARY: "" | |
PATCH_SUMMARY: "" | |
jobs: | |
build: | |
name: Build | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Cancel previous workflow runs | |
uses: styfle/[email protected] | |
with: | |
access_token: ${{ github.token }} | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Run Trivy vulnerability scanner in repo mode - SARIF | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
format: 'sarif' | |
output: 'trivy-repo-results.sarif' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-repo-results.sarif' | |
- name: Run Trivy vulnerability scanner in repo mode - JSON (Full) | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
format: 'json' | |
output: 'trivy-repo-full-results.json' | |
- name: Create summary of trivy issues on Repository Full scan | |
run: | | |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') | |
if [ -z $summary ] | |
then | |
summary="No vulnerabilities found" | |
fi | |
echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV | |
- name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches) | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
format: 'json' | |
output: 'trivy-repo-fixable-results.json' | |
- name: Create summary of trivy issues on Repository scan | |
run: | | |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') | |
if [ -z $summary ] | |
then | |
summary="No issues or vulnerability fixes available" | |
fi | |
echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV | |
- name: Generate trivy HTML report on Repository for download | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
format: 'template' | |
template: '@/contrib/html.tpl' | |
output: 'trivy-repo-report.html' | |
- name: Upload Trivy results as an artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "trivy-repo-report.html" | |
path: './trivy-repo-report.html' | |
retention-days: 30 | |
- name: Send Slack Notification | |
uses: slackapi/[email protected] | |
with: | |
payload: | | |
{ | |
"text": "Trivy scan results for ${{ github.repository }} repository", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY" | |
} | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": " Total Vulnerabilities: ${{ env.FULL_SUMMARY }}" | |
} | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": " Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}" | |
} | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": " View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days." | |
} | |
} | |
] | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |