Skip to content

[BE][FE][SECURITY] Trivy #2391

[BE][FE][SECURITY] Trivy

[BE][FE][SECURITY] Trivy #2391

Workflow file for this run

# Copyright (c) 2023 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: "[BE][FE][SECURITY] Trivy"
on:
pull_request:
branches: main
paths-ignore:
- '**/*.md'
- '**/*.txt'
push:
branches: [ "main" ]
paths-ignore:
- '**/*.md'
- '**/*.txt'
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
workflow_run:
workflows: ["Pull request Backend"]
types: ["completed"]
permissions:
contents: read
env:
JAVA_VERSION: 17
COMMIT_SHA: ${{ github.sha }}
jobs:
build-frontend:
permissions:
actions: read
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
services:
registry:
image: registry:2
ports:
- 5000:5000
name: Build frontend
runs-on: ubuntu-latest
defaults:
run:
working-directory: .
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build an image from Dockerfile
run: docker build -t localhost:5000/traceability-foss:fe_${{ github.sha }} -f ./frontend/Dockerfile .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
trivyignores: "./.github/workflows/.trivyignore"
image-ref: 'localhost:5000/traceability-foss:fe_${{ github.sha }}'
format: "sarif"
limit-severities-for-sarif: true
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
prepare-env-backend:
runs-on: ubuntu-latest
defaults:
run:
working-directory: tx-backend
outputs:
check_sha: ${{ steps.step1.outputs.check_sha }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{needs.prepare-env.outputs.check_sha}}
- name: Set commit SHA to check
id: step1
run: |
if [ -z "${{ github.event.workflow_run.head_sha }}" ]; then
# use the value that is set when triggering the workflow manually
echo "check_sha=$GITHUB_SHA" >> $GITHUB_OUTPUT
else
echo "check_sha=${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT
fi
analyze-config-backend:
runs-on: ubuntu-latest
defaults:
run:
working-directory: tx-backend
if: always()
needs: [prepare-env-backend]
permissions:
actions: read
contents: read
security-events: write
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{needs.prepare-env.outputs.check_sha}}
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/[email protected]
with:
trivyignores: "./.github/workflows/.trivyignore"
scan-type: "config"
hide-progress: false
format: "sarif"
output: "trivy-results1.sarif"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-results1.sarif"
analyze-traceability-foss-backend:
runs-on: ubuntu-latest
defaults:
run:
working-directory: tx-backend
if: always()
needs: ["prepare-env-backend"]
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '${{ env.JAVA_VERSION }}'
distribution: 'temurin'
cache: 'maven'
- name: Locally build docker image
uses: docker/build-push-action@v6
with:
context: .
push: false
tags: localhost:5000/traceability-foss:trivy
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: localhost:5000/traceability-foss:trivy
trivyignores: "./.github/workflows/.trivyignore"
format: "sarif"
limit-severities-for-sarif: true
output: "trivy-results2.sarif"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results2.sarif"