Add vulnerability scanning to docker build step and schedule scanning

ba-st · Apr 18, 2024 · e484ba2 · e484ba2
1 parent 93b5bfd
commit e484ba2
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 1 deletion.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -11,6 +11,9 @@ jobs:
    build_and_publish:
     runs-on: ubuntu-latest
     name: Build and Publish Docker images
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -36,3 +39,20 @@ jobs:
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
           secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
+      # Scan for vulnerabilities
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:${{ github.ref_name }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml
@@ -0,0 +1,27 @@
+name: Scheduled vulnerability scanning
+on:
+  schedule:
+    - cron: '35 6 * * 2'
+  workflow_dispatch:
+jobs:
+  vulnerability-scan:
+    permissions:
+      contents: read
+      security-events: write
+    name: Scheduled scan for vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:latest
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/docker/pharo/Dockerfile b/docker/pharo/Dockerfile
@@ -4,6 +4,7 @@ COPY --chown=pharo:users ./launchpad* ./
 USER root
 RUN set -eu; \
   apt-get update; \
+  apt-get upgrade; \
   apt-get install --assume-yes --no-install-recommends netcat-openbsd; \
   apt-get clean; \
   rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*; \

diff --git a/docker/pharo/launchpad-healthcheck b/docker/pharo/launchpad-healthcheck
@@ -4,4 +4,4 @@ if [[ -z $LAUNCHPAD__COMMAND_SERVER_PORT ]]; then
   LAUNCHPAD__COMMAND_SERVER_PORT=22222
 fi
 
-echo "HEALTHCHECK" | nc localhost $LAUNCHPAD__COMMAND_SERVER_PORT
+echo "HEALTHCHECK" | nc localhost "$LAUNCHPAD__COMMAND_SERVER_PORT"