Periodic Security Scan #60
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Periodic Security Scan | |
# Periodically scan production images for security vulnerabilities | |
on: | |
schedule: | |
# Once a day at midnight | |
- cron: '0 0 * * *' | |
# Once an hour | |
# - cron: '0 * * * *' | |
env: | |
# Name of image | |
IMAGE_NAME: foo-api | |
# Name of org in GHCR Docker repository (must be lowercase) | |
IMAGE_OWNER: ${{ github.repository_owner }} | |
# ECR Docker repo org name (may be blank, otherwise must have trailing slash) | |
ECR_IMAGE_OWNER: cogini/ | |
# Tag for release images | |
# IMAGE_TAG: ${{ (github.ref == 'refs/heads/main' && 'staging') || (github.ref == 'refs/heads/qa' && 'qa') }} | |
IMAGE_TAG: latest | |
IMAGE_VER: ${{ github.sha }} | |
# Variant if test matrix is not used | |
# See https://hub.docker.com/r/hexpm/elixir/tags | |
VAR: '1.16.1-erlang-26.2.1-debian-bullseye-20231009-slim' | |
# Variant that is deployed | |
PROD_VAR: '1.16.1-erlang-26.2.1-debian-bullseye-20231009-slim' | |
DOCKER_FILE: deploy/debian.Dockerfile | |
jobs: | |
scan: | |
name: Security scan prod image | |
permissions: | |
# Interact with GitHub OIDC Token endpoint for AWS | |
id-token: write | |
contents: read | |
# Read from ghcr.io repository | |
packages: read | |
# Upload JUnit report files | |
# https://github.com/EnricoMi/publish-unit-test-result-action#permissions | |
checks: write | |
pull-requests: write | |
issues: read | |
# Upload SARIF report files | |
security-events: write | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- elixir: 1.15.7 | |
otp: 26.1.2 | |
build_os_ver: bullseye-20230612-slim | |
prod_os_ver: bullseye-slim | |
snapshot_ver: 20230612 | |
os: debian | |
- elixir: 1.16.1 | |
otp: 26.2.1 | |
build_os_ver: bullseye-20231009-slim | |
prod_os_ver: bullseye-slim | |
os: debian | |
- elixir: 1.16.1 | |
otp: 26.2.1 | |
build_os_ver: bullseye-20231009-slim | |
prod_os_ver: bullseye-slim | |
os: distroless | |
# - elixir: 1.14.5 | |
# otp: 26.1.1 | |
# build_os_ver: bullseye-20230612-slim | |
# prod_os_ver: bullseye-slim | |
# snapshot_ver: 20230612 | |
# os: debian | |
# - elixir: 1.14.1 | |
# otp: 24.3.4 | |
# build_os_ver: bullseye-20210902-slim | |
# prod_os_ver: bullseye-slim | |
# snapshot_ver: 20210902 | |
# os: debian | |
env: | |
DOCKER_FILE: deploy/${{ matrix.os }}.Dockerfile | |
VAR: ${{ matrix.elixir }}-erlang-${{ matrix.otp }}-${{ matrix.os }}-${{ matrix.build_os_ver }} | |
steps: | |
- name: Log in to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Pull image | |
run: docker pull ghcr.io/${{env.IMAGE_OWNER}}/${{env.IMAGE_NAME}}:${{ env.VAR }}${{ env.IMAGE_VER }} | |
- name: Scan image with Trivy | |
uses: aquasecurity/trivy-action@master | |
# https://github.com/aquasecurity/trivy-action | |
# https://github.com/marketplace/actions/aqua-security-trivy#inputs | |
with: | |
image-ref: ghcr.io/${{env.IMAGE_OWNER}}/${{env.IMAGE_NAME}}:${{ env.VAR }}${{ env.IMAGE_VER }} | |
# exit-code: '1' # fail build | |
# ignore-unfixed: true | |
# vuln-type: 'os,library' | |
# severity: 'CRITICAL,HIGH' | |
# cache-dir: /var/cache | |
format: 'sarif' | |
output: 'trivy.sarif' | |
- name: Display scan results | |
run: cat trivy.sarif | jq . | |
- name: Upload Trivy scan results to GitHub Security tab | |
if: ${{ always() && env.GITHUB_ADVANCED_SECURITY == 1 }} | |
uses: github/codeql-action/upload-sarif@v2 | |
# Requires GitHub Advanced Security | |
# https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security | |
# https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning | |
# https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github | |
with: | |
sarif_file: 'trivy.sarif' | |
category: trivy | |
- name: Scan image with Grype | |
uses: anchore/scan-action@v3 | |
# https://github.com/marketplace/actions/anchore-container-scan | |
id: scan-grype | |
with: | |
image: ghcr.io/${{env.IMAGE_OWNER}}/${{env.IMAGE_NAME}}:${{ env.VAR }}${{ env.IMAGE_VER }} | |
# severity-cutoff: critical | |
fail-build: false | |
output-format: 'sarif' | |
# output-format: table | |
- name: Display scan results | |
run: cat ${{ steps.scan-grype.outputs.sarif }} | jq . | |
- name: Upload Grype scan results to GitHub Security tab | |
if: ${{ always() && env.GITHUB_ADVANCED_SECURITY == 1 }} | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: ${{ steps.scan-grype.outputs.sarif }} | |
category: grype | |
# - name: Scan image with snyk | |
# # if: github.event_name != 'pull_request' | |
# uses: snyk/actions/docker@master | |
# continue-on-error: true | |
# env: | |
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
# with: | |
# command: test | |
# image: ghcr.io/${{ env.IMAGE_OWNER }}/${{ env.IMAGE_NAME }}:${{ env.VAR }}${{ env.IMAGE_VER }} | |
# args: --file=${{ env.DOCKER_FILE }} --project-name=api | |