This repository has been archived by the owner on Oct 18, 2023. It is now read-only.
Run scheduled Trivy scan #242
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run scheduled Trivy scan | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '0 3 * * *' | |
jobs: | |
validate-lep: | |
strategy: | |
matrix: | |
include: | |
- module: lambdas | |
scanref: ./lambdas | |
trivyignore: lambdas/.trivyignore | |
- module: lib | |
scanref: ./lib | |
trivyignore: lib/.trivyignore | |
fail-fast: false | |
name: Validate lep | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
outputs: | |
lep-lambdas-outcome: ${{ steps.output.outputs.lep-lambdas-outcome || '' }} | |
lep-lambdas-json: ${{ steps.output.outputs.lep-lambdas-json || '' }} | |
lep-lib-outcome: ${{ steps.output.outputs.lep-lib-outcome || '' }} | |
lep-lib-json: ${{ steps.output.outputs.lep-lib-json || '' }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Copy gradle for lep lambdas | |
run: | | |
cp -r gradle ${{ matrix.module }}/gradle | |
cp gradlew ${{ matrix.module }}/gradlew | |
cp gradlew.bat ${{ matrix.module }}/gradlew.bat | |
- id: trivy | |
name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@0.12.0 | |
continue-on-error: true | |
with: | |
scan-type: fs | |
scan-ref: ${{ matrix.scanref }} | |
trivyignores: ${{ matrix.trivyignore }} | |
exit-code: 1 | |
format: json | |
output: ${{ matrix.module }}.json | |
- id: output | |
name: Setup output | |
run: | | |
echo "${{ matrix.module }}-outcome=${{ steps.trivy.outcome }}" >> $GITHUB_OUTPUT | |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
echo "${{ matrix.module }}-json<<$EOF" >> $GITHUB_OUTPUT | |
jq '.Results[] | |
| select(.Vulnerabilities != null) | |
| .Vulnerabilities | |
| map({ Vulnerability: ("<"+.PrimaryURL+"|"+.VulnerabilityID+">"), Severity: .Severity, Order: ( | |
if .Severity == "CRITICAL" then 0 else | |
if .Severity == "HIGH" then 1 else | |
if .Severity == "MEDIUM" then 2 else | |
if .Severity == "LOW" then 3 else 4 end end end end) }) | |
| .[]' ${{ matrix.module }}.json \ | |
| jq -s 'sort_by(.Order, .Vulnerability) | reduce .[] as $x ([]; .[0] += [$x.Vulnerability] | .[1] += [$x.Severity]) | |
| map(join("\n")) | |
| [{ type: "mrkdwn", text: .[0]}, { type: "mrkdwn", text: .[1] }]' >> $GITHUB_OUTPUT | |
echo "$EOF" >> $GITHUB_OUTPUT | |
notify-slack: | |
name: Notify Slack | |
needs: [ validate-lep ] | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- id: payload | |
name: Construct payload | |
run: | | |
payload='{ | |
"text": "Trivy dependency scan failed\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "Trivy dependency scan failed\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
}, | |
"fields": [ | |
{ | |
"type": "mrkdwn", | |
"text": "*Scan*" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*Outcome*" | |
}, | |
{ | |
"type": "plain_text", | |
"text": "LEP Lambdas" | |
}, | |
{ | |
"type": "plain_text", | |
"text": "${{ needs.validate.outputs.lambdas-outcome }}" | |
}, | |
{ | |
"type": "plain_text", | |
"text": "LEP Lib" | |
}, | |
{ | |
"type": "plain_text", | |
"text": "${{ needs.validate.outputs.lib-outcome }}" | |
} | |
] | |
} | |
] | |
}' | |
base_vulnerability_fields='[ | |
{ | |
"type": "mrkdwn", | |
"text": "*Vulnerabilitiy*" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*Severity*" | |
} | |
]' | |
if [ "${{ needs.validate.outputs.lambdas-outcome }}" = "failure" ] | |
then | |
fields=$(jq '. += ${{ needs.validate.outputs.lambdas-json }}' <<< $base_vulnerability_fields) | |
payload=$(jq --argjson fields "$fields" '.blocks += [ | |
{ | |
"type": "divider" | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "*LEP Lambdas*" | |
}, | |
"fields": $fields | |
} | |
]' <<< $payload) | |
fi | |
if [ "${{ needs.validate.outputs.lib-outcome }}" = "failure" ] | |
then | |
fields=$(jq '. += ${{ needs.validate.outputs.lib-json }}' <<< $base_vulnerability_fields) | |
payload=$(jq --argjson fields "$fields" '.blocks += [ | |
{ | |
"type": "divider" | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "*LEP Lib*" | |
}, | |
"fields": $fields | |
} | |
]' <<< $payload) | |
fi | |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
echo "payload<<$EOF" >> $GITHUB_OUTPUT | |
echo $payload >> $GITHUB_OUTPUT | |
echo "$EOF" >> $GITHUB_OUTPUT | |
- name: Send failure message to Slack | |
if: | | |
needs.validate.outputs.lambdas-outcome != 'success' || | |
needs.validate.outputs.lib-outcome != 'success' | |
uses: slackapi/slack-github-action@v1.24.0 | |
with: | |
channel-id: ${{ secrets.SLACK_CHANNEL_ID }} | |
payload: ${{ steps.payload.outputs.payload }} | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} |