# Copyright (c) 2023 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. # # This program and the accompanying materials are made available under the # terms of the Apache License, Version 2.0 which is available at # https://www.apache.org/licenses/LICENSE-2.0. # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # SPDX-License-Identifier: Apache-2.0 # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. name: "[BE][FE][SECURITY] Trivy" on: pull_request: branches: main paths-ignore: - '**/*.md' - '**/*.txt' push: branches: [ "main" ] paths-ignore: - '**/*.md' - '**/*.txt' schedule: - cron: "0 0 * * *" workflow_dispatch: workflow_run: workflows: ["Pull request Backend"] types: ["completed"] permissions: contents: read env: JAVA_VERSION: 17 COMMIT_SHA: ${{ github.sha }} jobs: build-frontend: permissions: actions: read contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results services: registry: image: registry:2 ports: - 5000:5000 name: Build frontend runs-on: ubuntu-latest defaults: run: working-directory: . steps: - name: Checkout code uses: actions/checkout@v4 - name: Build an image from Dockerfile run: docker build -t localhost:5000/traceability-foss:fe_${{ github.sha }} -f ./frontend/Dockerfile . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.23.0 with: trivyignores: "./.github/workflows/.trivyignore" image-ref: 'localhost:5000/traceability-foss:fe_${{ github.sha }}' format: "sarif" limit-severities-for-sarif: true output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' prepare-env-backend: runs-on: ubuntu-latest defaults: run: working-directory: tx-backend outputs: check_sha: ${{ steps.step1.outputs.check_sha }} steps: - name: Checkout repository uses: actions/checkout@v4 with: ref: ${{needs.prepare-env.outputs.check_sha}} - name: Set commit SHA to check id: step1 run: | if [ -z "${{ github.event.workflow_run.head_sha }}" ]; then # use the value that is set when triggering the workflow manually echo "check_sha=$GITHUB_SHA" >> $GITHUB_OUTPUT else echo "check_sha=${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT fi analyze-config-backend: runs-on: ubuntu-latest defaults: run: working-directory: tx-backend if: always() needs: [prepare-env-backend] permissions: actions: read contents: read security-events: write services: registry: image: registry:2 ports: - 5000:5000 steps: - name: Checkout repository uses: actions/checkout@v4 with: ref: ${{needs.prepare-env.outputs.check_sha}} - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@0.23.0 with: trivyignores: "./.github/workflows/.trivyignore" scan-type: "config" hide-progress: false format: "sarif" output: "trivy-results1.sarif" severity: "CRITICAL,HIGH" timeout: "10m0s" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: "trivy-results1.sarif" analyze-traceability-foss-backend: runs-on: ubuntu-latest defaults: run: working-directory: tx-backend if: always() needs: ["prepare-env-backend"] permissions: actions: read contents: read security-events: write steps: - name: Checkout repository uses: actions/checkout@v4 - uses: actions/setup-java@v4 with: java-version: '${{ env.JAVA_VERSION }}' distribution: 'temurin' cache: 'maven' - name: Locally build docker image uses: docker/build-push-action@v6 with: context: . push: false tags: localhost:5000/traceability-foss:trivy - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.23.0 with: image-ref: localhost:5000/traceability-foss:trivy trivyignores: "./.github/workflows/.trivyignore" format: "sarif" limit-severities-for-sarif: true output: "trivy-results2.sarif" severity: "CRITICAL,HIGH" timeout: "10m0s" - name: Upload Trivy scan results to GitHub Security tab if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: "trivy-results2.sarif"