Enable repository scanning and Dockerfile validation (#56)

simao-silva · Nov 6, 2023 · 339fe4f · 339fe4f
1 parent a418078
commit 339fe4f
Show file tree

Hide file tree

Showing 8 changed files with 112 additions and 3 deletions.
diff --git a/.github/workflows/docker-build-alpine.yml b/.github/workflows/docker-build-alpine.yml
@@ -50,7 +50,8 @@ jobs:
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
-          severity: "HIGH,CRITICAL"
+          severity: "MEDIUM,HIGH,CRITICAL"
+          skip-files: "/usr/bin/geckodriver,/usr/local/bin/geckodriver"
 
       - name: Login to DockerHub
         uses: docker/[email protected]

diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml
@@ -0,0 +1,42 @@
+name: Hadolint
+
+on:
+  push:
+    paths:
+      - Dockerfile
+      - Dockerfile.debian
+
+permissions:
+  contents: read
+
+jobs:
+  hadolint:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    strategy:
+      matrix:
+        file: [Dockerfile, Dockerfile.debian]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+
+      - name: Validate ${{ matrix.file }}
+        uses: hadolint/[email protected]
+        with:
+          dockerfile: ${{ matrix.file }}
+          no-fail: true
+          verbose: true
+          format: sarif
+          output-file: ${{ matrix.file }}.sarif
+
+      - name: Upload Hadolint results of ${{ matrix.file }}
+        uses: github/codeql-action/[email protected]
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: ${{ matrix.file }}.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: hadolint-${{ matrix.file }}-validation
diff --git a/.github/workflows/isort.yml b/.github/workflows/isort.yml
@@ -1,4 +1,4 @@
-name: Run isort
+name: Isort
 
 on:
   - push

diff --git a/.github/workflows/pr-alpine.yml b/.github/workflows/pr-alpine.yml
@@ -41,4 +41,16 @@ jobs:
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
-          severity: "HIGH,CRITICAL"
+          severity: "MEDIUM,HIGH,CRITICAL"
+          skip-files: "/usr/bin/geckodriver,/usr/local/bin/geckodriver"
+
+      # On hold until https://github.com/aquasecurity/trivy-action/issues/228 is fixed
+      # - name: Upload Trivy scan results to GitHub Security
+      #   uses: github/codeql-action/upload-sarif@v2
+      #   if: always()
+      #   with:
+      #     # Path to SARIF file relative to the root of the repository
+      #     sarif_file: trivy-alpine-image-scan.sarif
+      #     # Optional category for the results
+      #     # Used to differentiate multiple results for one commit
+      #     category: alpine-image-scan
diff --git a/.github/workflows/pr-debian.yml b/.github/workflows/pr-debian.yml
@@ -44,3 +44,14 @@ jobs:
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "MEDIUM,CRITICAL,HIGH"
+
+      # On hold until https://github.com/aquasecurity/trivy-action/issues/228 is fixed
+      # - name: Upload Trivy scan results to GitHub Security
+      #   uses: github/codeql-action/upload-sarif@v2
+      #   if: always()
+      #   with:
+      #     # Path to SARIF file relative to the root of the repository
+      #     sarif_file: trivy-debian-image-scan.sarif
+      #     # Optional category for the results
+      #     # Used to differentiate multiple results for one commit
+      #     category: debian-image-scan
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,37 @@
+name: Trivy scanner
+
+on:
+  - push
+
+permissions:
+  contents: read
+
+jobs:
+  trivy:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+
+      - name: Run Trivy scanner on repository
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: repo
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "MEDIUM,HIGH,CRITICAL"
+          format: "sarif"
+          output: "trivy-repository-scan.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/[email protected]
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: trivy-repository-scan.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: repository-scan
diff --git a/.gitignore b/.gitignore
@@ -114,3 +114,4 @@ deprecated/
 .idea
 debug
 test.sh
+*.sarif
diff --git a/Dockerfile b/Dockerfile
@@ -29,6 +29,11 @@ RUN apk add --no-cache firefox && \
     ln -s /usr/bin/geckodriver /usr/local/bin/geckodriver && \
     rm -rf /var/cache/apk/* /tmp/*
 
+# Fix vulnerabilities reported by Trivy
+ARG PIP_VERSION
+RUN apk upgrade --no-cache libcrypto3 libssl3 && \
+    /usr/local/bin/pip install --upgrade pip=="${PIP_VERSION}"
+
 # Enable custom virtual environment
 ENV VIRTUAL_ENV=/opt/venv
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
-Original file line number
+Diff line change
@@ Expand Up / @@ -114,3 +114,4 @@ deprecated/ @@
     .idea
     debug
     test.sh
+    *.sarif