Skip to content

Security Scan

Security Scan #901

Workflow file for this run

name: Security Scan
on:
push:
branches:
- 'main'
schedule:
- cron: '15 10 * * *' # each day at 10:15 UTC
jobs:
security-scan:
name: Security Scan
runs-on: ubuntu-latest
continue-on-error: false
strategy:
matrix:
branch-name:
- 'release/8.0'
- 'release/8.1'
- 'release/8.1-ubuntu'
- 'release/8.2'
- 'release/8.2-zts'
- 'release/8.2-ubuntu'
- 'release/8.3'
- 'release/8.3-zts'
- 'release/8.3-ubuntu'
- 'release/8.4'
steps:
- name: "Checkout code"
uses: actions/checkout@v3
with:
ref: ${{ matrix.branch-name }}
- name: "ZTS_SUFFIX Env"
run: echo "ZTS_SUFFIX=`echo '${{ matrix.branch-name }}' | grep zts > /dev/null && echo '-zts' || echo ''`" > $GITHUB_ENV
- name: "UBUNTU_SUFFIX Env"
run: echo "UBUNTU_SUFFIX=`echo '${{ matrix.branch-name }}' | grep ubuntu > /dev/null && echo '-ubuntu' || echo ''`" > $GITHUB_ENV
- name: "PHP_VERSION Env"
run: echo "PHP_VERSION=`grep "ARG PHP_VERSION" Dockerfile | cut -f 2 -d '"' | tr -d '_'`${{ env.ZTS_SUFFIX }}${{ env.UBUNTU_SUFFIX }}" > $GITHUB_ENV
- name: "BRANCH_SHA Env"
run: echo "BRANCH_SHA=`git rev-parse HEAD`" >> $GITHUB_ENV
- name: Pull the image
run: docker pull ghcr.io/endava/docker-php:${{ env.PHP_VERSION }}
- name: Tag also with php:${{ env.PHP_VERSION }}
run: docker tag ghcr.io/endava/docker-php:${{ env.PHP_VERSION }} php-${{ env.PHP_VERSION }}
- name: "IMAGE_SIZE Env"
run: echo "IMAGE_SIZE=`docker image save php-${{ env.PHP_VERSION }} | gzip | wc -c | numfmt --to=si`" > $GITHUB_ENV
- run: wget "https://img.shields.io/static/v1.png?label=${{ env.PHP_VERSION }}&message=${{ env.IMAGE_SIZE }}&color=blue" -O size-status.png
- name: Run Alpine Trivy vulnerability scanner
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
with:
image-ref: php-${{ env.PHP_VERSION }}
format: 'table'
exit-code: '0' # we don't break the build if vulnerabilities are included!
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Run Alpine Trivy vulnerability scanner and create html file
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
with:
image-ref: php-${{ env.PHP_VERSION }}
format: 'template'
template: '@/contrib/html.tpl'
output: 'vulnerability-report.html'
- name: Run Alpine Trivy vulnerability scanner and create html file
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
with:
image-ref: php-${{ env.PHP_VERSION }}
format: 'json'
ignore-unfixed: true
output: 'vulnerability-report.json'
- name: "FIXED_VULNERABILITIES Env"
run: echo "FIXED_VULNERABILITIES=`cat vulnerability-report.json | jq '.Results[0].Vulnerabilities | length'`" > $GITHUB_ENV
- if: ${{ env.FIXED_VULNERABILITIES == '0' }}
run: wget "https://img.shields.io/static/v1.png?label=vulnerabilites&message=0&color=green" -O vulnerability-status.png
- if: ${{ env.FIXED_VULNERABILITIES != '0' }}
run: wget "https://img.shields.io/static/v1.png?label=vulnerabilites&message=${{ env.FIXED_VULNERABILITIES }}&color=red" -O vulnerability-status.png
- name: Run Alpine Trivy vulnerability scanner and upload to github security tab
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
with:
image-ref: php-${{ env.PHP_VERSION }}
format: 'sarif'
output: 'trivy-results.sarif'
- if: contains(github.ref, 'refs/heads/main')
name: Upload Alpine Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
ref: refs/heads/${{ matrix.branch-name }}
sha: ${{ env.BRANCH_SHA }}
sarif_file: 'trivy-results.sarif'
- if: contains(github.ref, 'refs/heads/main')
name: Run Snyk to check Docker images for vulnerabilities
uses: snyk/actions/docker@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ghcr.io/endava/docker-php:${{ env.PHP_VERSION }}
args: "--org=${{ secrets.SNYK_ORG }} --fail-on=upgradable --project-name=docker-php:${{ env.PHP_VERSION }} --target-reference=${{ env.PHP_VERSION }}"
command: monitor
- if: contains(github.ref, 'refs/heads/main')
name: Upload vulnerability Report to Github Release Artifacts
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ env.PHP_VERSION }}
append_body: true
body: ""
files: |
vulnerability-report.html
vulnerability-status.png
size-status.png