-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
210 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
name: Checkov Scan | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
image_name: | ||
description: 'The name of the docker image to build' | ||
type: string | ||
required: false | ||
default: 'apache' | ||
|
||
dockerfile_path: | ||
description: 'The path of the Dockerfile' | ||
type: string | ||
required: false | ||
default: './Dockerfile' | ||
|
||
jobs: | ||
scan: | ||
permissions: | ||
contents: read | ||
security-events: write | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: Build the image | ||
run: docker build -t ${{ env.IMAGE_NAME }} ${{ env.IMAGE_PATH }} | ||
- name: Run Checkov action | ||
id: checkov | ||
uses: bridgecrewio/checkov-action@master | ||
with: | ||
quiet: true # optional: display only failed checks | ||
soft_fail: true # optional: do not return an error code if there are failed checks | ||
log_level: DEBUG # optional: set log level. Default WARNING | ||
docker_image: ${{ inputs.image_name }} # define the name of the image to scan | ||
dockerfile_path: ${{ inputs.dockerfile_path }} # path to the Dockerfile | ||
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues | ||
output_format: cli,sarif | ||
output_file_path: console,results.sarif | ||
# api-key: ${{ secrets.BC_API_KEY }} # Bridgecrew API key stored as a GitHub secret | ||
|
||
- name: Upload SARIF file | ||
uses: github/codeql-action/upload-sarif@v2 | ||
if: success() || failure() | ||
with: | ||
sarif_file: results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
name: Docker scans | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
paths-ignore: | ||
- ".ado/**" | ||
- "README.md" | ||
pull_request: | ||
branches: | ||
- main | ||
workflow_dispatch: | ||
|
||
jobs: | ||
checkov: | ||
permissions: | ||
contents: read | ||
security-events: write | ||
uses: 0GiS0/scan-docker-vulnerabilities/.github/workflows/checkov.yaml@main | ||
trivy: | ||
permissions: | ||
contents: read | ||
security-events: write | ||
uses: 0GiS0/scan-docker-vulnerabilities/.github/workflows/trivy.yaml@main | ||
terrascan: | ||
permissions: | ||
contents: read | ||
security-events: write | ||
uses: 0GiS0/scan-docker-vulnerabilities/.github/workflows/grype.yaml@main | ||
snyk: | ||
permissions: | ||
contents: read | ||
security-events: write | ||
uses: 0GiS0/scan-docker-vulnerabilities/.github/workflows/snyk.yaml@main | ||
secrets: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
name: Grype Scan | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
image_name: | ||
description: 'The name of the docker image to build' | ||
type: string | ||
required: false | ||
default: 'apache' | ||
|
||
dockerfile_path: | ||
description: 'The path of the Dockerfile' | ||
type: string | ||
required: false | ||
default: './Dockerfile' | ||
|
||
jobs: | ||
|
||
scan: | ||
permissions: | ||
contents: read | ||
security-events: write | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
- name: Build the Container image | ||
run: docker build . --file ${{ inputs.dockerfile_path }} --tag ${{ inputs.image_name }} | ||
- uses: anchore/scan-action@v3 | ||
id: scan | ||
with: | ||
image: ${{ inputs.image_name }} | ||
- name: Inspect action SARIF report | ||
run: cat ${{ steps.scan.outputs.sarif }} | ||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
if: success() || failure() | ||
with: | ||
sarif_file: ${{ steps.scan.outputs.sarif }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
name: Snyk Scan | ||
|
||
on: | ||
workflow_call: | ||
secrets: | ||
SNYK_TOKEN: | ||
required: true | ||
inputs: | ||
image_name: | ||
description: 'The name of the docker image to build' | ||
type: string | ||
required: false | ||
default: 'apache' | ||
|
||
dockerfile_path: | ||
description: 'The path of the Dockerfile' | ||
type: string | ||
required: false | ||
default: './Dockerfile' | ||
|
||
jobs: | ||
snyk: | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: Set up Snyk CLI to check for security issues | ||
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb | ||
|
||
- name: Build the Container image | ||
run: docker build . --file ${{ inputs.dockerfile_path }} --tag ${{ inputs.image_name }} | ||
- name: Snyk IaC test and report | ||
continue-on-error: true | ||
run: | | ||
snyk container test ${{ inputs.image_name }} --sarif | ||
snyk container test ${{ inputs.image_name }} --sarif > snyk-docker.sarif | ||
# Push the Snyk Code results into GitHub Code Scanning tab | ||
- name: Upload result to GitHub Code Scanning | ||
uses: github/codeql-action/upload-sarif@v2 | ||
if: success() || failure() | ||
with: | ||
sarif_file: snyk-docker.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
name: Trivy Scan | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
image_name: | ||
description: 'The name of the docker image to build' | ||
type: string | ||
required: false | ||
default: 'apache' | ||
|
||
dockerfile_path: | ||
description: 'The path of the Dockerfile' | ||
type: string | ||
required: false | ||
default: './Dockerfile' | ||
|
||
jobs: | ||
|
||
scan: | ||
permissions: | ||
contents: read | ||
security-events: write | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Build an image from Dockerfile | ||
run: | | ||
docker build -t ${{ inputs.image_name }} ${{ inputs.dockerfile_path }} . | ||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
image-ref: ${{ inputs.image_name }} | ||
format: 'sarif' | ||
output: 'trivy-results.sarif' | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: 'trivy-results.sarif' |