-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
141 lines (131 loc) · 4.34 KB
/
cve-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# AUTO-GENERATED, DO NOT EDIT!
# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/server/.github/workflows/cve-scan.yaml
name: Docker Image Scanners
on:
workflow_dispatch:
push:
branches:
- "master"
tags:
- "v*.*.*"
pull_request:
branches:
- "master"
permissions:
contents: read
security-events: write
jobs:
scanners:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Env
id: vars
shell: bash
run: |
# Store values in local variables
SHA_SHORT=$(git rev-parse --short HEAD)
REPO_NAME=${{ github.event.repository.name }}
# Append -sqlite to SHA_SHORT if repo is hydra
if [ "${REPO_NAME}" = "hydra" ]; then
echo "Repo is hydra, appending -sqlite to SHA_SHORT"
IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite"
else
echo "Repo is not hydra, using default IMAGE_NAME"
IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}"
fi
# Output values for debugging
echo "Values to be set:"
echo "SHA_SHORT: ${SHA_SHORT}"
echo "REPO_NAME: ${REPO_NAME}"
echo "IMAGE_NAME: ${IMAGE_NAME}"
# Set GitHub Environment variables
echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}"
echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}"
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build images
shell: bash
run: |
IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure Trivy
run: |
mkdir -p $HOME/.cache/trivy
echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV
echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
- name: Anchore Scanner
uses: anchore/scan-action@v5
id: grype-scan
with:
image: ${{ env.IMAGE_NAME }}
fail-build: true
severity-cutoff: high
add-cpes-if-none: true
- name: Inspect action SARIF report
shell: bash
if: ${{ always() }}
run: |
echo "::group::Anchore Scan Details"
jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }}
echo "::endgroup::"
- name: Anchore upload scan SARIF report
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.grype-scan.outputs.sarif }}
- name: Kubescape scanner
uses: kubescape/github-action@main
id: kubescape
with:
image: ${{ env.IMAGE_NAME }}
verbose: true
format: pretty-printer
# can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
severityThreshold: critical
- name: Trivy Scanner
uses: aquasecurity/trivy-action@master
if: ${{ always() }}
with:
image-ref: ${{ env.IMAGE_NAME }}
format: "table"
exit-code: "42"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
scanners: "vuln,secret,misconfig"
env:
TRIVY_SKIP_JAVA_DB_UPDATE: "true"
TRIVY_DISABLE_VEX_NOTICE: "true"
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Dockle Linter
uses: erzz/dockle-action@v1
if: ${{ always() }}
with:
image: ${{ env.IMAGE_NAME }}
exit-code: 42
failure-threshold: high
- name: Hadolint
uses: hadolint/[email protected]
id: hadolint
if: ${{ always() }}
with:
dockerfile: .docker/Dockerfile-build
verbose: true
format: "json"
failure-threshold: "error"
- name: View Hadolint results
if: ${{ always() }}
shell: bash
run: |
echo "::group::Hadolint Scan Details"
echo "${HADOLINT_RESULTS}" | jq '.'
echo "::endgroup::"