From 2c048620de223f7051f362cfa0105c193338c814 Mon Sep 17 00:00:00 2001 From: chunsus Date: Fri, 5 Jul 2024 05:28:15 +0000 Subject: [PATCH 1/6] update image-scan.yaml --- .github/workflows/image-scan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index dd9a342..798482d 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,7 +9,7 @@ on: jobs: scan: name: Scan Docker Image - runs-on: [runner-2, self-hosted] + #runs-on: [runner-2, self-hosted] steps: - name: Checkout code uses: actions/checkout@v3 @@ -18,9 +18,9 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'ubuntu:impish-20210711' + image-ref: 'mysql:oracle' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' \ No newline at end of file + severity: 'CRITICAL,HIGH' From a83076c88c76eade5a13923e887e36166a3f26e0 Mon Sep 17 00:00:00 2001 From: chunsus Date: Fri, 5 Jul 2024 05:50:55 +0000 Subject: [PATCH 2/6] update image-scan --- .github/workflows/image-scan.yaml | 39 +++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 798482d..42c5003 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,18 +9,49 @@ on: jobs: scan: name: Scan Docker Image - #runs-on: [runner-2, self-hosted] + #runs-on: [runner-2, self-hosted + runs-on: ubuntu-last steps: + - name : Test + run | +  ls + - name: Checkout code uses: actions/checkout@v3 - # https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - - name: Run Trivy vulnerability scanner + - name: Nginx uses: aquasecurity/trivy-action@master with: - image-ref: 'mysql:oracle' + image-ref: 'nginx:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: ture + vuln-type: 'os,library' + serverity: ' CRITICAL,HIGH' + uses: aquasecurity/trivy-action@master + with: + image-ref: 'wordpress:latest' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + -name: MySQL + uses: aquasecurity/trivy-action@master + with: + image-ref: 'mysql:8' + format: 'table' + exit-code: '0' + vuln-type: 'CRITICAL,HIGH' + + + # https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs + #- name: Run Trivy vulnerability scanner + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: 'mysql:oracle' + # format: 'table' + # exit-code: '1' + # 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ignore-unfixed: true + # vuln-type: 'os,library' + #: severity: 'CRITICAL,HIGH' From f0b584fb988b3ca95f6bfd67d6a0012082c22a36 Mon Sep 17 00:00:00 2001 From: chunsu-tw <70503737+chunsu-tw@users.noreply.github.com> Date: Fri, 5 Jul 2024 14:01:37 +0800 Subject: [PATCH 3/6] Update image-scan.yaml --- .github/workflows/image-scan.yaml | 54 +++++++++++++++---------------- 1 file changed, 26 insertions(+), 28 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 42c5003..1a2dfd2 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -9,26 +9,23 @@ on: jobs: scan: name: Scan Docker Image - #runs-on: [runner-2, self-hosted - runs-on: ubuntu-last + runs-on: [runner-1, self-hosted] steps: - - name : Test - run | -  ls - - name: Checkout code uses: actions/checkout@v3 + ### https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - name: Nginx uses: aquasecurity/trivy-action@master with: image-ref: 'nginx:latest' format: 'table' exit-code: '1' - ignore-unfixed: ture + ignore-unfixed: true vuln-type: 'os,library' - serverity: ' CRITICAL,HIGH' - uses: aquasecurity/trivy-action@master + severity: 'CRITICAL,HIGH' + - name: Wordpress + uses: aquasecurity/trivy-action@master with: image-ref: 'wordpress:latest' format: 'table' @@ -36,22 +33,23 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - -name: MySQL - uses: aquasecurity/trivy-action@master - with: - image-ref: 'mysql:8' - format: 'table' - exit-code: '0' - vuln-type: 'CRITICAL,HIGH' - - - # https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs - #- name: Run Trivy vulnerability scanner - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: 'mysql:oracle' - # format: 'table' - # exit-code: '1' - # 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ignore-unfixed: true - # vuln-type: 'os,library' - #: severity: 'CRITICAL,HIGH' + - name: MySQL + uses: aquasecurity/trivy-action@master + with: + image-ref: 'mysql:8' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - name: Test + run: | + docker ps + shell: bash + + + + + + From dd3d08a65a283bbf40a6b749162c3e741707bf98 Mon Sep 17 00:00:00 2001 From: chunsu-tw <70503737+chunsu-tw@users.noreply.github.com> Date: Fri, 5 Jul 2024 14:08:50 +0800 Subject: [PATCH 4/6] Update image-scan.yaml --- .github/workflows/image-scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 1a2dfd2..b49e374 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -20,7 +20,7 @@ jobs: with: image-ref: 'nginx:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' @@ -29,7 +29,7 @@ jobs: with: image-ref: 'wordpress:latest' format: 'table' - exit-code: '1' + exit-code: '0' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' From f9ccb8783be6e7a5d26878cdc7ad4afc1fdf9efe Mon Sep 17 00:00:00 2001 From: chunsus Date: Fri, 5 Jul 2024 06:22:31 +0000 Subject: [PATCH 5/6] use cache compose.yaml --- .github/workflows/image-scan.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index b49e374..0b01e83 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -45,7 +45,8 @@ jobs: - name: Test run: | - docker ps + cd .cache/ans/single/ + docker compose up -d shell: bash From b6fec041205557a8c687ba9ca57cdfa24e7b51a3 Mon Sep 17 00:00:00 2001 From: chunsu-tw <70503737+chunsu-tw@users.noreply.github.com> Date: Fri, 5 Jul 2024 14:28:19 +0800 Subject: [PATCH 6/6] Update image-scan.yaml --- .github/workflows/image-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-scan.yaml b/.github/workflows/image-scan.yaml index 0b01e83..cf114db 100644 --- a/.github/workflows/image-scan.yaml +++ b/.github/workflows/image-scan.yaml @@ -45,7 +45,7 @@ jobs: - name: Test run: | - cd .cache/ans/single/ + cd .cache/ans/single docker compose up -d shell: bash