Skip to content

Commit

Permalink
Add vulnerability scanning to docker build step and schedule scanning
Browse files Browse the repository at this point in the history
  • Loading branch information
gcotelli committed Apr 18, 2024
1 parent 93b5bfd commit e484ba2
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 1 deletion.
20 changes: 20 additions & 0 deletions .github/workflows/docker-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ jobs:
build_and_publish:
runs-on: ubuntu-latest
name: Build and Publish Docker images
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -36,3 +39,20 @@ jobs:
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# Scan for vulnerabilities
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
if: ${{ github.event_name != 'pull_request' }}
with:
image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:${{ github.ref_name }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
ignore-unfixed: true

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ github.event_name != 'pull_request' }}
with:
sarif_file: 'trivy-results.sarif'
27 changes: 27 additions & 0 deletions .github/workflows/scheduled-security-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Scheduled vulnerability scanning
on:
schedule:
- cron: '35 6 * * 2'
workflow_dispatch:
jobs:
vulnerability-scan:
permissions:
contents: read
security-events: write
name: Scheduled scan for vulnerabilities
runs-on: ubuntu-latest
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:latest
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
ignore-unfixed: true

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
1 change: 1 addition & 0 deletions docker/pharo/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ COPY --chown=pharo:users ./launchpad* ./
USER root
RUN set -eu; \
apt-get update; \
apt-get upgrade; \
apt-get install --assume-yes --no-install-recommends netcat-openbsd; \
apt-get clean; \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*; \
Expand Down
2 changes: 1 addition & 1 deletion docker/pharo/launchpad-healthcheck
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ if [[ -z $LAUNCHPAD__COMMAND_SERVER_PORT ]]; then
LAUNCHPAD__COMMAND_SERVER_PORT=22222
fi

echo "HEALTHCHECK" | nc localhost $LAUNCHPAD__COMMAND_SERVER_PORT
echo "HEALTHCHECK" | nc localhost "$LAUNCHPAD__COMMAND_SERVER_PORT"

0 comments on commit e484ba2

Please sign in to comment.