Trivy CVE Dependency Scanner #874

Workflow file for this run

.github/workflows/trivy-scan.yml at 0dc3c44

	name: Trivy CVE Dependency Scanner

	on:
	schedule:
	- cron: '0 0 * * *'
	workflow_dispatch:

	jobs:
	scan-latest-release:
	runs-on: ubuntu-latest
	steps:
	- name: Get Latest Release Docker Image Sha
	id: latest-sha
	run: \|
	# Get the latest released docker image sha
	curl -sL https://api.github.com/repos/carvel-dev/secretgen-controller/releases/latest \| jq -r '.assets[].browser_download_url' \| wget -i -

	echo ::set-output name=image::$(yq eval '.spec.template.spec.containers[0].image' release.yml -N -j \| jq 'select(. != null)' -r)
	echo ::set-output name=tag::$(curl -sL https://api.github.com/repos/carvel-dev/secretgen-controller/releases/latest \| jq -r '.tag_name')
	- name: Install Trivy
	run: \|
	# https://aquasecurity.github.io/trivy/v0.18.3/installation/
	sudo apt-get install wget apt-transport-https gnupg lsb-release
	wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \| sudo apt-key add -
	echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main \| sudo tee -a /etc/apt/sources.list.d/trivy.list
	sudo apt-get update
	sudo apt-get install trivy
	- name: Run Trivy
	run: \|
	trivy image ${{ steps.latest-sha.outputs.image }}
	trivy image --format json --output trivy-results-image-latest.json ${{ steps.latest-sha.outputs.image }}
	- name: Check for new Vulnerabilities
	run: \|
	set -o pipefail

	summary="Trivy scan has found new vulnerabilities in ${{steps.latest-sha.outputs.tag}} check https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"

	vulnCount=$(jq '[ .Results[]? \| select(.Vulnerabilities) \| .Vulnerabilities ] \| length' trivy-results-image-latest.json)
	if [[ $vulnCount -eq 0 ]]; then
	summary="Trivy Scan has not found any new Security Issues in ${{steps.latest-sha.outputs.tag}}"
	fi

	echo "SUMMARY=$summary" >> $GITHUB_ENV
	- name: Send Slack Notification
	if: success()
	uses: slackapi/slack-github-action@v1.15.0
	env:
	SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
	with:
	channel-id: C010XR15VHU
	slack-message: "${{ env.SUMMARY }}"
	- name: Send Failure notification
	if: failure()
	uses: slackapi/slack-github-action@v1.15.0
	env:
	SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
	with:
	channel-id: C010XR15VHU
	slack-message: "Trivy scan workflow [${{steps.latest-sha.outputs.tag}}] failed. Please check the latest github action run for trivy scanner."
	scan-develop-branch:
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	steps:
	- name: Checkout
	uses: actions/checkout@v2
	with:
	fetch-depth: 0
	- name: Set up Go 1.x
	uses: actions/setup-go@v3
	with:
	go-version: 1.22.2
	- name: Build the secretgen-controller artifacts
	run: \|
	curl -L https://carvel.dev/install.sh \| bash
	./hack/build.sh

	# docker image
	docker buildx build -t docker.io/carvel/secretgen-controller:${{ github.sha }} .
	- name: Install Trivy
	run: \|
	# https://aquasecurity.github.io/trivy/v0.18.3/installation/
	sudo apt-get install wget apt-transport-https gnupg lsb-release
	wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \| sudo apt-key add -
	echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main \| sudo tee -a /etc/apt/sources.list.d/trivy.list
	sudo apt-get update
	sudo apt-get install trivy

	# download the sarif format template
	git clone --depth 1 https://github.com/aquasecurity/trivy
	- name: Run Trivy Reports
	run: \|
	export TRIVY_IGNORE_UNFIXED=true
	export TRIVY_SEVERITY="MEDIUM,HIGH,CRITICAL"
	export TRIVY_TEMPLATE="@trivy/contrib/sarif.tpl"

	# secretgen-controller binary - output in sarif and json
	trivy rootfs --format template --output trivy-results-binary.sarif "controller"
	trivy rootfs --format json --output trivy-results-binary.json "controller"

	# secretgen-controller docker image - output in sarif and json
	trivy image --format template --output trivy-results-image.sarif "docker.io/carvel/secretgen-controller:${{ github.sha }}"
	trivy image --format json --output trivy-results-image.json "docker.io/carvel/secretgen-controller:${{ github.sha }}"
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: '.'
	- name: Check for new Vulnerabilities
	run: \|
	set -o pipefail

	summary="Trivy scan has found new vulnerabilities - check https://github.com/carvel-dev/secretgen-controller/security/code-scanning for more"

	vulnCountBinary=$(jq '[ .Results[]? \| select(.Vulnerabilities) \| .Vulnerabilities ] \| length' trivy-results-binary.json)
	vulnCountImage=$(jq '[ .Results[]? \| select(.Vulnerabilities) \| .Vulnerabilities ] \| length' trivy-results-image.json)
	if [[ $vulnCountImage -eq 0 && $vulnCountBinary -eq 0 ]]
	then
	summary="Trivy Scan has not found any new Security Issues"
	fi

	echo "SUMMARY=$summary" >> $GITHUB_ENV
	- name: Send Slack Notification
	if: success()
	uses: slackapi/slack-github-action@v1.15.0
	env:
	SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
	with:
	channel-id: C010XR15VHU
	slack-message: "${{ env.SUMMARY }}"
	- name: Send Failure notification
	if: failure()
	uses: slackapi/slack-github-action@v1.15.0
	env:
	SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
	with:
	channel-id: C010XR15VHU
	slack-message: "Trivy scan workflow failed. Please check the latest github action run for trivy scanner."

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy CVE Dependency Scanner #874

Workflow file

Trivy CVE Dependency Scanner #874

Jobs

Run details

Workflow file for this run