forked from openebs/rawfile-localpv
-
Notifications
You must be signed in to change notification settings - Fork 1
118 lines (115 loc) · 3.96 KB
/
trivy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Trivy
on:
pull_request: # todo remove before merge
schedule:
- cron: '0 10 * * *'
jobs:
# list-branches-to-scan:
# runs-on: ubuntu-latest
# outputs:
# branches: ${{ steps.branches.outputs.branches }}
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# with:
# fetch-depth: 0
# - name: List branches to scan
# id: branches
# run: |
# # regex matches branches like
# # origin/1.28
# # origin/v1.1
# # origin/release-1.30
# # origin/master
# # origin/main
# BRANCHES=$(git branch -r | grep -E '^ origin\/(((v|release-)?[0-9]+.[0-9]+)|(master|main))$' | \
# sed -e 's#^ origin/##' | jq -R -s -c 'split("\n")[:-1]')
# echo "branches=$(echo $BRANCHES)" >> $GITHUB_OUTPUT
# scan-fs:
# runs-on: ubuntu-latest
# needs: list-branches-to-scan
# strategy:
# matrix:
# branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }}
# permissions:
# security-events: write
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# with:
# ref: ${{ matrix.branch }}
# fetch-depth: 0
# - name: Run Trivy vulnerability scanner in repo mode
# uses: aquasecurity/[email protected]
# with:
# scan-type: "fs"
# ignore-unfixed: true
# format: "sarif"
# output: "output.sarif"
# severity: "MEDIUM,HIGH,CRITICAL"
# env:
# TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
# - name: Get commit sha
# run: |
# SHA="$(git rev-parse HEAD)"
# echo "head_sha=$SHA" >> "$GITHUB_ENV"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: "output.sarif"
# sha: ${{ env.head_sha }}
# ref: refs/heads/${{ matrix.branch }}
scan-container:
runs-on: ubuntu-latest
# needs: list-branches-to-scan
# strategy:
# matrix:
# branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }}
permissions:
security-events: write
steps:
- uses: actions/github-script@v7
id: read-tag
with:
script: |
let package_type = "container"
let org = context.repo.owner
let package_name = context.repo.repo
const { data: packages } = await github.request('GET /orgs/{org}/packages/{package_type}/{package_name}/versions', {
package_type: package_type,
package_name: package_name,
org: org,
headers: {
'X-GitHub-Api-Version': '2022-11-28'
}
})
let container_tag = packages[0].metadata.container.tags[0]
return packages[0]
# result-encoding: string
- uses: actions/github-script@v7
with:
script: |
console.log(context.steps.read-tag.outputs.result)
# - name: Get commit sha
# run: |
# echo "${{ steps.read-tag.outputs.result.metadata.container.tags[0] }}"
# - name: Checking out repo
# uses: actions/checkout@v4
# with:
# # ref: ${{ matrix.branch }} #todo checkout to container sha
# fetch-depth: 0
# - name: Run Trivy vulnerability scanner in image mode
# uses: aquasecurity/[email protected]
# with:
# image-ref: "ghcr.io/${{ github.repository }}:${{steps.read-tag.outputs.result}}"
# ignore-unfixed: true
# format: 'template'
# template: '@/contrib/sarif.tpl'
# output: "output.sarif"
# severity: "MEDIUM,HIGH,CRITICAL"
# env:
# TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: "output.sarif"