-
Notifications
You must be signed in to change notification settings - Fork 0
129 lines (117 loc) · 4.47 KB
/
trivy-repo-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Trivy Security Scan on repository
on:
push:
branches:
- main
pull_request:
schedule:
- cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC
# Below is for manual scanning
workflow_dispatch:
env:
FULL_SUMMARY: ""
PATCH_SUMMARY: ""
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Cancel previous workflow runs
uses: styfle/[email protected]
with:
access_token: ${{ github.token }}
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode - SARIF
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-repo-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-repo-results.sarif'
- name: Run Trivy vulnerability scanner in repo mode - JSON (Full)
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'json'
output: 'trivy-repo-full-results.json'
- name: Create summary of trivy issues on Repository Full scan
run: |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
if [ -z $summary ]
then
summary="No vulnerabilities found"
fi
echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches)
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'json'
output: 'trivy-repo-fixable-results.json'
- name: Create summary of trivy issues on Repository scan
run: |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
if [ -z $summary ]
then
summary="No issues or vulnerability fixes available"
fi
echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV
- name: Generate trivy HTML report on Repository for download
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'template'
template: '@/contrib/html.tpl'
output: 'trivy-repo-report.html'
- name: Upload Trivy results as an artifact
uses: actions/upload-artifact@v3
with:
name: "trivy-repo-report.html"
path: './trivy-repo-report.html'
retention-days: 30
- name: Send Slack Notification
uses: slackapi/[email protected]
with:
payload: |
{
"text": "Trivy scan results for ${{ github.repository }} repository",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " Total Vulnerabilities: ${{ env.FULL_SUMMARY }}"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days."
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK