From 00ee8768bf25e3542ba067c5f367f1e4cc82635e Mon Sep 17 00:00:00 2001 From: dreggh Date: Fri, 5 Jul 2024 03:39:23 +0000 Subject: [PATCH 1/8] modify image scane --- .github/workflows/image-scan.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index dd9a342..f8a7cb2 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,8 @@ on: jobs: scan: name: Scan Docker Image - runs-on: [runner-2, self-hosted] + #runs-on: [runner-2, self-hosted] + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 @@ -18,9 +19,9 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'ubuntu:impish-20210711' + image-ref: 'mysql:oracle' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' \ No newline at end of file + severity: 'CRITICAL,HIGH' From 976a23d020c40be0566058dad57de333247ba18c Mon Sep 17 00:00:00 2001 From: dreggh Date: Fri, 5 Jul 2024 05:16:45 +0000 Subject: [PATCH 2/8] add images to be scanned --- .github/workflows/image-scan.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index f8a7cb2..4e25703 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -19,9 +19,27 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'mysql:oracle' + image-ref: 'ngix:latest' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'wordpress:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'mysql:8' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' From 51b78360dc60f3a6058c97e3d04f62713f1a73b4 Mon Sep 17 00:00:00 2001 From: dreggh Date: Fri, 5 Jul 2024 05:20:30 +0000 Subject: [PATCH 3/8] fix typo for image scann --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 4e25703..a041c11 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -19,7 +19,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'ngix:latest' + image-ref: 'nginx:latest' format: 'table' exit-code: '1' ignore-unfixed: true From bb91d2dab1b8363cdb4641cc4d3444b10f909d9f Mon Sep 17 00:00:00 2001 From: dreggh Date: Fri, 5 Jul 2024 05:34:40 +0000 Subject: [PATCH 4/8] revise mysql scan --- .github/workflows/image-scan.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index a041c11..8d6ff99 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -16,7 +16,7 @@ jobs: uses: actions/checkout@v3 # https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - - name: Run Trivy vulnerability scanner + - name: Nginx uses: aquasecurity/trivy-action@master with: image-ref: 'nginx:latest' @@ -25,7 +25,7 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Run Trivy vulnerability scanner + - name: Wordpress uses: aquasecurity/trivy-action@master with: image-ref: 'wordpress:latest' @@ -34,12 +34,12 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Run Trivy vulnerability scanner + - name: MySQL uses: aquasecurity/trivy-action@master with: image-ref: 'mysql:8' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' From efe997f85ce47b56dce6104de4f78458357dc704 Mon Sep 17 00:00:00 2001 From: dreggh Date: Fri, 5 Jul 2024 05:55:44 +0000 Subject: [PATCH 5/8] add run commands --- .github/workflows/image-scan.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 8d6ff99..22d4d56 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,8 +9,8 @@ on: jobs: scan: name: Scan Docker Image - #runs-on: [runner-2, self-hosted] - runs-on: ubuntu-latest + runs-on: [runner-1, self-hosted] + #runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 @@ -42,4 +42,8 @@ jobs: exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: 'CRITICAL,HIGH' + - name: Test + run: | + docker ps + shell: bash From 1f49bce84180729898154db0e9018d5a01184e94 Mon Sep 17 00:00:00 2001 From: dreggh Date: Fri, 5 Jul 2024 06:00:06 +0000 Subject: [PATCH 6/8] change exit-code to 0 --- .github/workflows/image-scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 22d4d56..246f856 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -21,7 +21,7 @@ jobs: with: image-ref: 'nginx:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' @@ -30,7 +30,7 @@ jobs: with: image-ref: 'wordpress:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' From 9609f64b096be69adc17921e9f6525660d56979e Mon Sep 17 00:00:00 2001 From: dreggh Date: Fri, 5 Jul 2024 06:21:14 +0000 Subject: [PATCH 7/8] skl-cicd-test1 --- .cache/ans/single/compose.yaml | 6 +++--- .github/workflows/image-scan.yaml | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.cache/ans/single/compose.yaml b/.cache/ans/single/compose.yaml index babe355..50fe48a 100644 --- a/.cache/ans/single/compose.yaml +++ b/.cache/ans/single/compose.yaml @@ -1,7 +1,7 @@ services: nginx: image: nginx:latest - container_name: nginx + container_name: user-17-nginx volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro ports: @@ -21,7 +21,7 @@ services: wordpress: image: wordpress:latest - container_name: wordpress + container_name: user-17-wordpress environment: WORDPRESS_DB_HOST: db WORDPRESS_DB_USER: exampleuser @@ -43,7 +43,7 @@ services: db: image: mysql:8 - container_name: db + container_name: user-17-db environment: MYSQL_ROOT_PASSWORD: examplepass MYSQL_DATABASE: exampledb diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 246f856..73bafc8 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -45,5 +45,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Test run: | - docker ps + cd .cash/ans/single + docker compose up -d shell: bash From 2fae1d348bd0e85ab30c8d2a10a96ce661cb6da8 Mon Sep 17 00:00:00 2001 From: dreggh Date: Fri, 5 Jul 2024 06:24:30 +0000 Subject: [PATCH 8/8] fix dir name --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 73bafc8..1bf3976 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -45,6 +45,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Test run: | - cd .cash/ans/single + cd .cache/ans/single docker compose up -d shell: bash