Skip to content

Commit

Permalink
Enhance GitHub Actions workflow for security updates: improved parsin…
Browse files Browse the repository at this point in the history
…g of Trivy scan results to generate detailed security advisories, including summaries for vulnerabilities and secrets. Added logic to create a security advisory via GitHub API if vulnerabilities are found, and refined output formatting for better clarity in reporting findings.
  • Loading branch information
jaydrogers committed Dec 11, 2024
1 parent 8edefa5 commit a760584
Showing 1 changed file with 22 additions and 25 deletions.
47 changes: 22 additions & 25 deletions .github/workflows/action_publish-images-security-updates.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,11 @@ jobs:
path: '${{ github.workspace }}/trivy-results.json'
retention-days: 20

# Parse results to set has_vulnerabilities (for workflow control)
# Parse results and create advisory if needed
- if: inputs.skip_scan != true
id: parse
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
if [ -f trivy-results.json ]; then
Expand All @@ -58,15 +60,21 @@ jobs:
if [ "${VULN_COUNT:-0}" -gt 0 ]; then
echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
CURRENT_DATE=$(date +%Y-%m-%d)
# Create step summary and advisory content
echo "# Security Findings Found" >> $GITHUB_STEP_SUMMARY
SUMMARY="## Security Scan Results ($CURRENT_DATE)\n\n### Summary\n- Total Findings: ${VULN_COUNT}"
# Handle OS/Package Vulnerabilities
if jq -e '.Results[] | select(.Vulnerabilities != null)' trivy-results.json > /dev/null; then
echo "## Package Vulnerabilities" >> $GITHUB_STEP_SUMMARY
echo "| Severity | Package | Installed Version | Fixed Version | Vulnerability ID |" >> $GITHUB_STEP_SUMMARY
echo "|----------|---------|-------------------|---------------|-----------------|" >> $GITHUB_STEP_SUMMARY
jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | "| \(.Severity) | \(.PkgName) | \(.InstalledVersion) | \(.FixedVersion) | \(.VulnerabilityID) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
VULNS_SECTION=$(jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | "### Vulnerability: \(.VulnerabilityID)\n- Package: \(.PkgName)\n- Severity: \(.Severity)\n- Current Version: \(.InstalledVersion)\n- Fixed Version: \(.FixedVersion)\n"' trivy-results.json)
fi
# Handle Secrets
Expand All @@ -75,8 +83,20 @@ jobs:
echo "| Severity | Category | Title | Target | Rule ID |" >> $GITHUB_STEP_SUMMARY
echo "|----------|-----------|--------|---------|----------|" >> $GITHUB_STEP_SUMMARY
jq -r '.Results[] | select(.Secrets != null) | .Secrets[] | "| \(.Severity) | \(.Category) | \(.Title) | \(.Target) | \(.RuleID) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
SECRETS_SECTION=$(jq -r '.Results[] | select(.Secrets != null) | .Secrets[] | "### Secret Finding: \(.Title)\n- Severity: \(.Severity)\n- Category: \(.Category)\n- Location: \(.Target)\n- Rule ID: \(.RuleID)\n"' trivy-results.json)
fi
# Create the security advisory
FULL_DESCRIPTION="${SUMMARY}\n\n${SECRETS_SECTION}\n${VULNS_SECTION}"
gh api \
--method POST \
/repos/${{ github.repository }}/security-advisories \
-f summary="🚨 Security Scan Report ($CURRENT_DATE): Found ${VULN_COUNT} findings" \
-f description="${FULL_DESCRIPTION}" \
-f severity="critical"
echo "::notice::Found ${VULN_COUNT} security findings that need to be addressed."
else
echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -107,27 +127,4 @@ jobs:
with:
release_type: 'security'
ref_type: 'tag'
version: "${{ needs.get-latest-release.outputs.release_version }}"

notify:
needs: [build-security-updates]
runs-on: ubuntu-24.04
if: always()
steps:
- name: Notify maintainers privately
if: needs.build-security-updates.result == 'success'
uses: actions/github-script@v7
with:
script: |
await github.rest.securityAdvisories.createPrivateVulnerabilityReport({
owner: context.repo.owner,
repo: context.repo.name,
title: 'Automated Security Updates Applied',
description: `Security updates were automatically applied.\n\nAction Run: ${context.serverUrl}/${context.repo.owner}/${context.repo.name}/actions/runs/${context.runId}`,
state: 'closed',
severity: 'low',
identifiers: [{
type: 'GHSA',
value: `GHSA-auto-${context.runId}`
}]
});
version: "${{ needs.get-latest-release.outputs.release_version }}"

0 comments on commit a760584

Please sign in to comment.