Skip to content

Commit

Permalink
add github workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@0GiS0
0GiS0 committed Sep 23, 2023
1 parent c20f2ae commit 9eed86a
Show file tree
Hide file tree
Showing 5 changed files with 210 additions and 0 deletions.
46 changes: 46 additions & 0 deletions .github/workflows/checkov.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: Checkov Scan

on:
workflow_call:
inputs:
image_name:
description: 'The name of the docker image to build'
type: string
required: false
default: 'apache'

dockerfile_path:
description: 'The path of the Dockerfile'
type: string
required: false
default: './Dockerfile'

jobs:
scan:
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build the image
run: docker build -t ${{ env.IMAGE_NAME }} ${{ env.IMAGE_PATH }}
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
log_level: DEBUG # optional: set log level. Default WARNING
docker_image: ${{ inputs.image_name }} # define the name of the image to scan
dockerfile_path: ${{ inputs.dockerfile_path }} # path to the Dockerfile
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
output_format: cli,sarif
output_file_path: console,results.sarif
# api-key: ${{ secrets.BC_API_KEY }} # Bridgecrew API key stored as a GitHub secret

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
with:
sarif_file: results.sarif
37 changes: 37 additions & 0 deletions .github/workflows/docker-scans.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: Docker scans

on:
push:
branches:
- main
paths-ignore:
- ".ado/**"
- "README.md"
pull_request:
branches:
- main
workflow_dispatch:

jobs:
checkov:
permissions:
contents: read
security-events: write
uses: 0GiS0/scan-docker-vulnerabilities/.github/workflows/checkov.yaml@main
trivy:
permissions:
contents: read
security-events: write
uses: 0GiS0/scan-docker-vulnerabilities/.github/workflows/trivy.yaml@main
terrascan:
permissions:
contents: read
security-events: write
uses: 0GiS0/scan-docker-vulnerabilities/.github/workflows/grype.yaml@main
snyk:
permissions:
contents: read
security-events: write
uses: 0GiS0/scan-docker-vulnerabilities/.github/workflows/snyk.yaml@main
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
40 changes: 40 additions & 0 deletions .github/workflows/grype.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: Grype Scan

on:
workflow_call:
inputs:
image_name:
description: 'The name of the docker image to build'
type: string
required: false
default: 'apache'

dockerfile_path:
description: 'The path of the Dockerfile'
type: string
required: false
default: './Dockerfile'

jobs:

scan:
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build the Container image
run: docker build . --file ${{ inputs.dockerfile_path }} --tag ${{ inputs.image_name }}
- uses: anchore/scan-action@v3
id: scan
with:
image: ${{ inputs.image_name }}
- name: Inspect action SARIF report
run: cat ${{ steps.scan.outputs.sarif }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
44 changes: 44 additions & 0 deletions .github/workflows/snyk.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Snyk Scan

on:
workflow_call:
secrets:
SNYK_TOKEN:
required: true
inputs:
image_name:
description: 'The name of the docker image to build'
type: string
required: false
default: 'apache'

dockerfile_path:
description: 'The path of the Dockerfile'
type: string
required: false
default: './Dockerfile'

jobs:
snyk:
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb

- name: Build the Container image
run: docker build . --file ${{ inputs.dockerfile_path }} --tag ${{ inputs.image_name }}
- name: Snyk IaC test and report
continue-on-error: true
run: |
snyk container test ${{ inputs.image_name }} --sarif
snyk container test ${{ inputs.image_name }} --sarif > snyk-docker.sarif
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
with:
sarif_file: snyk-docker.sarif
43 changes: 43 additions & 0 deletions .github/workflows/trivy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: Trivy Scan

on:
workflow_call:
inputs:
image_name:
description: 'The name of the docker image to build'
type: string
required: false
default: 'apache'

dockerfile_path:
description: 'The path of the Dockerfile'
type: string
required: false
default: './Dockerfile'

jobs:

scan:
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Build an image from Dockerfile
run: |
docker build -t ${{ inputs.image_name }} ${{ inputs.dockerfile_path }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ inputs.image_name }}
format: 'sarif'
output: 'trivy-results.sarif'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'

0 comments on commit 9eed86a

Please sign in to comment.