From e484ba2f0fe991da34ba9ac2e546e5fd8de238c8 Mon Sep 17 00:00:00 2001 From: Gabriel Omar Cotelli Date: Thu, 18 Apr 2024 19:16:00 -0300 Subject: [PATCH] Add vulnerability scanning to docker build step and schedule scanning --- .github/workflows/docker-build.yml | 20 ++++++++++++++ .github/workflows/scheduled-security-scan.yml | 27 +++++++++++++++++++ docker/pharo/Dockerfile | 1 + docker/pharo/launchpad-healthcheck | 2 +- 4 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/scheduled-security-scan.yml diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 84c72d2..1c6bcc6 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -11,6 +11,9 @@ jobs: build_and_publish: runs-on: ubuntu-latest name: Build and Publish Docker images + permissions: + contents: read + security-events: write steps: - name: Checkout uses: actions/checkout@v4 @@ -36,3 +39,20 @@ jobs: tags: ${{ steps.docker_meta.outputs.tags }} labels: ${{ steps.docker_meta.outputs.labels }} secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }} + # Scan for vulnerabilities + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + if: ${{ github.event_name != 'pull_request' }} + with: + image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:${{ github.ref_name }} + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + limit-severities-for-sarif: true + ignore-unfixed: true + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: ${{ github.event_name != 'pull_request' }} + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml new file mode 100644 index 0000000..033d9d2 --- /dev/null +++ b/.github/workflows/scheduled-security-scan.yml @@ -0,0 +1,27 @@ +name: Scheduled vulnerability scanning +on: + schedule: + - cron: '35 6 * * 2' + workflow_dispatch: +jobs: + vulnerability-scan: + permissions: + contents: read + security-events: write + name: Scheduled scan for vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:latest + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + limit-severities-for-sarif: true + ignore-unfixed: true + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' diff --git a/docker/pharo/Dockerfile b/docker/pharo/Dockerfile index 277a977..d19d5b1 100644 --- a/docker/pharo/Dockerfile +++ b/docker/pharo/Dockerfile @@ -4,6 +4,7 @@ COPY --chown=pharo:users ./launchpad* ./ USER root RUN set -eu; \ apt-get update; \ + apt-get upgrade; \ apt-get install --assume-yes --no-install-recommends netcat-openbsd; \ apt-get clean; \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*; \ diff --git a/docker/pharo/launchpad-healthcheck b/docker/pharo/launchpad-healthcheck index 47c29b2..a010fc4 100755 --- a/docker/pharo/launchpad-healthcheck +++ b/docker/pharo/launchpad-healthcheck @@ -4,4 +4,4 @@ if [[ -z $LAUNCHPAD__COMMAND_SERVER_PORT ]]; then LAUNCHPAD__COMMAND_SERVER_PORT=22222 fi -echo "HEALTHCHECK" | nc localhost $LAUNCHPAD__COMMAND_SERVER_PORT +echo "HEALTHCHECK" | nc localhost "$LAUNCHPAD__COMMAND_SERVER_PORT"