-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
231 lines (211 loc) · 9.35 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
name: 'Vulnerability scan'
description: 'Perform vulnerability scan and report using trivy'
branding:
icon: search
color: blue
inputs:
image-ref:
description: Image to scan (if not specified an fs scan is done)
required: false
default: ''
scan-ref:
description: Existing SBOM to use, if set image-ref is ignored
required: false
default: ''
junit-test-output:
description: Location to write JUnit test report to
required: false
default: ''
create-test-report:
description: If a JUnit test report should be created by the action (otherwise it is assumed to report is handled outside of the action)
required: false
default: 'false' # Note: Action inputs are always of type string
fail-for:
description: Issue types for fail for if they are present (added to JUnit report)
default: CRITICAL
report-retention-days:
description: Number of days to retain the HTML report
default: 30
report-tag:
description: Custom tag for report file, discern multiple reports created in the same run. By the default the job ID is used
default: ''
check-image-user:
description: If the user of the Docker image should be checked to be non-root
default: 'true' # Note: Action inputs are always of type string
create-summary:
description: If a summary should be created
default: 'true'
runs:
using: "composite"
steps:
- name: Determine valid report slug and file name
shell: bash
run: |
# Use report tag or job ID
INPUT_STRING="${{ inputs.report-tag != '' && inputs.report-tag || github.job }}"
# Replace invalid characters with underscores
VALID_SLUG=$(echo "$INPUT_STRING" | sed 's/[^A-Za-z0-9_.-]/_/g')
# Set the processed value as an environment variable
echo "REPORT_SLUG=$VALID_SLUG" >> $GITHUB_ENV
echo "REPORT_FILENAME=${VALID_SLUG}-trivy.html" >> $GITHUB_ENV
- name: Install CycloneDX CLI # https://github.com/CycloneDX/cyclonedx-cli
uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0
with:
repo: CycloneDX/cyclonedx-cli
tag: v0.27.1 # optional, otherwise use latest
# extension-matching: disable # disable extension matching because artifacts are binaries
# work around action picking wrong artifact (with `musl`) - open issue on specifying artifact manually see https://github.com/jaxxstorm/action-install-gh-release/issues/84
extension: -linux-x64
platform: cyclone
arch: dx
rename-to: cyclonedx-cli
chmod: 0755
cache: enable # only works if using specific tag
- name: Verify CycloneDX CLI install
shell: bash
run: cyclonedx-cli --version
#
# Check Docker image user
#
- name: Check Docker image user
uses: wetransform/gha-docker-nonroot@0809574ec961694bfc203d12ec9c4c94bd2d46e8 # v1.0.3
if: "${{ inputs.check-image-user == 'true' && inputs.image-ref != '' && (inputs.junit-test-output != '' || inputs.create-test-report) }}"
with:
image-ref: ${{ inputs.image-ref }}
fail-for-root: false # rather use JUnit report
# XXX disable check until we clarified how to deal with root users in images
create-junit-output: false
junit-test-output: "${{ inputs.junit-test-output != '' && inputs.junit-test-output || 'trivy.xml' }}-user-check.xml"
#
# Scan for security vulnerabilities
#
- name: Restore trivy cache
id: cache-trivy-restore
uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: .trivy
key: ${{ runner.os }}-trivy-${{ github.job }}-${{ github.run_id }}
restore-keys: |
${{ runner.os }}-trivy-
# https://github.com/aquasecurity/trivy-action
# Approach based on https://github.com/aquasecurity/trivy-action/issues/173#issuecomment-1497774518
- name: Create SBOM
if: "${{ inputs.scan-ref == '' }}"
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
with:
image-ref: '${{ inputs.image-ref }}'
scan-type: "${{ inputs.image-ref != '' && 'image' || 'fs' }}"
format: 'cyclonedx' # spdx-json
output: "${{ env.REPORT_SLUG }}-sbom.json"
cache-dir: .trivy
cache: 'false' # use our own cache handling
- name: Use existing SBOM
if: "${{ inputs.scan-ref != '' }}"
shell: bash
run: |
cp ${{ inputs.scan-ref }} ${{ env.REPORT_SLUG }}-sbom.json
- name: Create CSV representation
if: "${{ inputs.scan-ref == '' }}"
shell: bash
run: |
cyclonedx-cli convert --input-file ${{ env.REPORT_SLUG }}-sbom.json --output-file ${{ env.REPORT_SLUG }}-sbom.csv --output-format csv
- name: Upload SBOM
if: "${{ inputs.scan-ref == '' }}"
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: SBOM (CycloneDX) [${{ env.REPORT_SLUG }}]
path: |
${{ env.REPORT_SLUG }}-sbom.json
${{ env.REPORT_SLUG }}-sbom.csv
retention-days: ${{ inputs.report-retention-days }}
# https://github.com/aquasecurity/trivy-action
- name: Scan for critical vulnerabilities (create JUnit report)
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
if: "${{ inputs.junit-test-output != '' || inputs.create-test-report }}"
with:
scan-ref: "${{ env.REPORT_SLUG }}-sbom.json"
scan-type: sbom
format: 'template'
template: '@$HOME/.local/bin/trivy-bin/contrib/junit.tpl'
output: "${{ inputs.junit-test-output != '' && inputs.junit-test-output || 'trivy.xml' }}"
ignore-unfixed: true
vuln-type: 'os,library'
severity: ${{ inputs.fail-for }}
cache-dir: .trivy
cache: 'false' # use our own cache handling
- name: Create vulnerability report as HTML
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
# workaround for trivy action not setting env variables if they use the default value
# we need to set the environment manually to the defaults to override previous settings
TRIVY_SEVERITY: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
TRIVY_IGNORE_UNFIXED: "false"
with:
scan-ref: "${{ env.REPORT_SLUG }}-sbom.json"
scan-type: sbom
format: 'template'
template: '@$HOME/.local/bin/trivy-bin/contrib/html.tpl'
output: ${{ env.REPORT_FILENAME }}
cache-dir: .trivy
cache: 'false' # use our own cache handling
- name: Upload vulnerability report
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: always()
with:
name: Vulnerability report (HTML) [${{ env.REPORT_SLUG }}]
path: ${{ env.REPORT_FILENAME }}
retention-days: ${{ inputs.report-retention-days }}
- name: Copy vulnerability summary template
if: ${{ inputs.create-summary == 'true' }}
shell: bash
run: |
cp ${GITHUB_ACTION_PATH}/summary.tpl ./trivy-summary.tpl
- name: Create summary on vulnerabilities
if: ${{ inputs.create-summary == 'true' }}
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
# workaround for trivy action not setting env variables if they use the default value
# we need to set the environment manually to the defaults to override previous settings
TRIVY_SEVERITY: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
TRIVY_IGNORE_UNFIXED: "false"
with:
scan-ref: "${{ env.REPORT_SLUG }}-sbom.json"
scan-type: sbom
format: 'template'
template: '@trivy-summary.tpl'
output: 'trivy.md'
cache-dir: .trivy
cache: 'false' # use our own cache handling
- name: Add to job summary
if: ${{ inputs.create-summary == 'true' }}
shell: bash
run: |
echo "### Vulnerability summary (${{ inputs.image-ref != '' && inputs.image-ref || 'fs' }})" >> $GITHUB_STEP_SUMMARY
cat trivy.md >> $GITHUB_STEP_SUMMARY
# Save trivy cache
- name: Fix .trivy permissions
shell: bash
run: sudo chown -R $(stat . -c %u:%g) .trivy
- name: Save trivy cache
continue-on-error: true # ignore error (e.g. if cached was already saved in same workflow run)
if: always() # always save
id: cache-trivy-save
uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: .trivy
key: ${{ steps.cache-trivy-restore.outputs.cache-primary-key }}
#
# Report on unit tests and critical vulnerabilities
#
# https://github.com/marketplace/actions/junit-report-action
- name: Publish Test Report
uses: mikepenz/action-junit-report@62516aa379bff6370c95fd5894d5a27fb6619d9b # v5.2.0
if: ${{ always() && inputs.create-test-report == 'true' }} # always run even if the previous step fails
with:
report_paths: "${{ inputs.junit-test-output != '' && inputs.junit-test-output || 'trivy.xml' }}*"
fail_on_failure: true
# Workaround for check that is additionally created being associated
# to the wrong workflow/run. Instead not additional check is created.
# See https://github.com/mikepenz/action-junit-report/issues/40
annotate_only: true
detailed_summary: true