From 288575fd69eba25aa4ca7175b7f090a11e7b4d97 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 03:34:29 +0000 Subject: [PATCH 01/18] wip --- .github/workflows/image-scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index dd9a342..68d4386 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -18,9 +18,9 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'ubuntu:impish-20210711' + image-ref: 'mysql:oracle' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' \ No newline at end of file + severity: 'CRITICAL,HIGH' From b460f30b70d637038a829d16a7502d5e0ac30ad0 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:10:17 +0000 Subject: [PATCH 02/18] wrok --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 68d4386..25a4d6b 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -14,7 +14,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - # https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs + ##https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: From 8347e5f74826ba99926ad91482097df143ecc392 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:24:45 +0000 Subject: [PATCH 03/18] blog --- .cache/ans/single/compose.yaml | 37 ++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/.cache/ans/single/compose.yaml b/.cache/ans/single/compose.yaml index babe355..dc6564a 100644 --- a/.cache/ans/single/compose.yaml +++ b/.cache/ans/single/compose.yaml @@ -68,3 +68,40 @@ services: volumes: db_data: + + jobs: + scan: + name: Scan Docker Image + runs-on: [runner-2, self-hosted] + steps: + - name: Checkout code + uses: actions/checkout@v3 + + ##https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'nginx:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ' wordpress:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'mysql:8' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' From 4c0ae44b9aa5650a7db54a982d7f3984c80c6337 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:29:28 +0000 Subject: [PATCH 04/18] fix --- .cache/ans/single/compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cache/ans/single/compose.yaml b/.cache/ans/single/compose.yaml index dc6564a..ac73b8d 100644 --- a/.cache/ans/single/compose.yaml +++ b/.cache/ans/single/compose.yaml @@ -77,7 +77,7 @@ volumes: - name: Checkout code uses: actions/checkout@v3 - ##https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs + ### https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: From d9b1bc460c3bd20a5a77e03b23ea32e3f4090803 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:31:57 +0000 Subject: [PATCH 05/18] fix --- .cache/ans/single/compose.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.cache/ans/single/compose.yaml b/.cache/ans/single/compose.yaml index ac73b8d..e4f1564 100644 --- a/.cache/ans/single/compose.yaml +++ b/.cache/ans/single/compose.yaml @@ -72,7 +72,8 @@ volumes: jobs: scan: name: Scan Docker Image - runs-on: [runner-2, self-hosted] + #runs-on: [runner-2, self-hosted] + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 From aba91b70dde3e72461866399d42fc74a6a1eccee Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:34:15 +0000 Subject: [PATCH 06/18] fix --- .cache/ans/single/compose.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.cache/ans/single/compose.yaml b/.cache/ans/single/compose.yaml index e4f1564..92e09b9 100644 --- a/.cache/ans/single/compose.yaml +++ b/.cache/ans/single/compose.yaml @@ -84,7 +84,7 @@ volumes: with: image-ref: 'nginx:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' @@ -93,7 +93,7 @@ volumes: with: image-ref: ' wordpress:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' @@ -102,7 +102,7 @@ volumes: with: image-ref: 'mysql:8' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' From a6c781a9c5eaf021c952642cdf5a006ee8b91bfc Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:36:54 +0000 Subject: [PATCH 07/18] fix --- .github/workflows/image-scan.yaml | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 25a4d6b..d5a26c9 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -5,22 +5,40 @@ on: branches: [ main ] pull_request: branches: [ main ] - jobs: scan: name: Scan Docker Image - runs-on: [runner-2, self-hosted] + #runs-on: [runner-2, self-hosted] + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - ##https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs + ### https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'mysql:oracle' + image-ref: 'nginx:latest' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ' wordpress:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'mysql:8' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' From 597758bba7a408c037ab3c02ccfa669fd6c63eb3 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:39:55 +0000 Subject: [PATCH 08/18] fix --- .github/workflows/image-scan.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index d5a26c9..5cf30cb 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -5,6 +5,7 @@ on: branches: [ main ] pull_request: branches: [ main ] + jobs: scan: name: Scan Docker Image From 5c6ed40afc2fc548da3b2bc5c37bd91fd8dcc1bf Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:42:45 +0000 Subject: [PATCH 09/18] fix --- .github/workflows/image-scan.yaml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 5cf30cb..fddfab5 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -1,45 +1,43 @@ name: Docker Image Scan - -on: +'on': push: - branches: [ main ] + branches: + - main pull_request: - branches: [ main ] - + branches: + - main jobs: scan: name: Scan Docker Image - #runs-on: [runner-2, self-hosted] runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - - ### https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: 'nginx:latest' - format: 'table' + format: table exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ' wordpress:latest' - format: 'table' + format: table exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: 'mysql:8' - format: 'table' + format: table exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: 'CRITICAL,HIGH' + From 02964a4397ff7e64035d036131410a2b112c98a9 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 05:55:15 +0000 Subject: [PATCH 10/18] flow --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index fddfab5..c8dd40d 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,7 @@ name: Docker Image Scan jobs: scan: name: Scan Docker Image - runs-on: ubuntu-latest + runs-on: [runner-1, self-hosted] steps: - name: Checkout code uses: actions/checkout@v3 From cc25b2a5d8a2f314a6a3c7899f3e34e5b0e243d9 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 06:05:12 +0000 Subject: [PATCH 11/18] flow --- .github/workflows/image-scan.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index c8dd40d..70527e7 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,9 @@ name: Docker Image Scan jobs: scan: name: Scan Docker Image - runs-on: [runner-1, self-hosted] + runs-on: + - runner-1 + - self-hosted steps: - name: Checkout code uses: actions/checkout@v3 @@ -40,4 +42,7 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + - name: Test + run: docker run + shell: bash From fb0bf3776a01ec567e132a2438545b8fe55a20ba Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 06:13:02 +0000 Subject: [PATCH 12/18] flow --- .github/workflows/image-scan.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 70527e7..7573a7e 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -42,7 +42,8 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Test - run: docker run + + -name: Test + run: + docker run ps shell: bash - From a6686da2a66ac4d3101a93a1304f49f268bfeaf0 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 06:16:15 +0000 Subject: [PATCH 13/18] flow --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 7573a7e..70b89d2 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -45,5 +45,5 @@ jobs: -name: Test run: - docker run ps + docker ps shell: bash From 6edbdbb5d9f0e9762ab99bde562f688050f91d8d Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 06:17:55 +0000 Subject: [PATCH 14/18] flow --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 70b89d2..2a2955d 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -43,7 +43,7 @@ jobs: vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - -name: Test + - name: Test run: docker ps shell: bash From 41a2a76be046ba667a6d44bb4f0d8a4690098780 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 06:23:11 +0000 Subject: [PATCH 15/18] final --- .cache/ans/single/compose.yaml | 44 +++---------------------------- .github/workflows/image-scan.yaml | 3 ++- 2 files changed, 5 insertions(+), 42 deletions(-) diff --git a/.cache/ans/single/compose.yaml b/.cache/ans/single/compose.yaml index 92e09b9..8346bfd 100644 --- a/.cache/ans/single/compose.yaml +++ b/.cache/ans/single/compose.yaml @@ -1,7 +1,7 @@ services: nginx: image: nginx:latest - container_name: nginx + container_name: user-6-host-1-nginx volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro ports: @@ -21,7 +21,7 @@ services: wordpress: image: wordpress:latest - container_name: wordpress + container_name: user-6-host-1-wordpress environment: WORDPRESS_DB_HOST: db WORDPRESS_DB_USER: exampleuser @@ -43,7 +43,7 @@ services: db: image: mysql:8 - container_name: db + container_name: user-6-host-1-db environment: MYSQL_ROOT_PASSWORD: examplepass MYSQL_DATABASE: exampledb @@ -68,41 +68,3 @@ services: volumes: db_data: - - jobs: - scan: - name: Scan Docker Image - #runs-on: [runner-2, self-hosted] - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - ### https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'nginx:latest' - format: 'table' - exit-code: '0' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ' wordpress:latest' - format: 'table' - exit-code: '0' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'mysql:8' - format: 'table' - exit-code: '0' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 2a2955d..b78b9e9 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -45,5 +45,6 @@ jobs: - name: Test run: - docker ps + cd .cache/ans/single + docker compose up-d shell: bash From fd9aafb3aab3316037ef555a74a49ac559da8468 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 06:26:32 +0000 Subject: [PATCH 16/18] final --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index b78b9e9..e427dd0 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -45,6 +45,6 @@ jobs: - name: Test run: - cd .cache/ans/single + cd .cache/ans/single/ docker compose up-d shell: bash From 1ef0fef8c3c2178ea005e363ab76a51a51e12701 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 06:28:52 +0000 Subject: [PATCH 17/18] final --- .github/workflows/image-scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index e427dd0..52c6dea 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -45,6 +45,6 @@ jobs: - name: Test run: - cd .cache/ans/single/ - docker compose up-d + cd .cache/ans/single + docker compose up -d shell: bash From 399499baa032517cd709d7bb0bd2ca562121ac23 Mon Sep 17 00:00:00 2001 From: AndyTsai Date: Fri, 5 Jul 2024 06:32:05 +0000 Subject: [PATCH 18/18] final --- .github/workflows/image-scan.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 52c6dea..a1cc28f 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -42,9 +42,7 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - name: Test - run: - cd .cache/ans/single - docker compose up -d + run: cd .cache/ans/single docker compose up -d shell: bash +