diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 4178ad23..81ede610 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -33,37 +33,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0 - trivy-scanning: - runs-on: ubuntu-latest - steps: - - name: Checkout Source - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Build and load (not push) - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 - with: - load: true - context: . - file: ./Dockerfile - platforms: linux/amd64 - push: false - tags: checkmarx/2ms:scanme - - - name: Run Trivy Scan - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 - with: - image-ref: checkmarx/2ms:scanme - vuln-type: os,library - format: table - ignore-unfixed: true - severity: CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN - trivy-config: trivy.yaml - exit-code: '1' - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true - - secret-scanning: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/update-trivy-cache.yml b/.github/workflows/trivy-cache.yaml similarity index 95% rename from .github/workflows/update-trivy-cache.yml rename to .github/workflows/trivy-cache.yaml index 394ceb53..bf3887e8 100644 --- a/.github/workflows/update-trivy-cache.yml +++ b/.github/workflows/trivy-cache.yaml @@ -36,4 +36,4 @@ jobs: uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 #v4.2.0 with: path: ${{ github.workspace }}/.cache/trivy - key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file + key: cache-trivy-${{ steps.date.outputs.date }} diff --git a/.github/workflows/trivy-vulnerability-scan.yaml b/.github/workflows/trivy-vulnerability-scan.yaml new file mode 100644 index 00000000..8b23fb50 --- /dev/null +++ b/.github/workflows/trivy-vulnerability-scan.yaml @@ -0,0 +1,40 @@ +name: Trivy-scan +on: + push: + workflow_dispatch: + pull_request: + branches: + - master + schedule: + - cron: '5 6 * * *' # Runs every day at 06:05 UTC + +jobs: + trivy-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Build and load (not push) + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + with: + load: true + context: . + file: ./Dockerfile + platforms: linux/amd64 + push: false + tags: checkmarx/2ms:scanme + + - name: Run Trivy Scan + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 + with: + image-ref: checkmarx/2ms:scanme + vuln-type: os,library + format: table + ignore-unfixed: true + severity: CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN + trivy-config: trivy.yaml + exit-code: '1' + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true diff --git a/Dockerfile b/Dockerfile index a0e8362b..da2a0074 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ COPY . . RUN GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -a -o /app/2ms . # Runtime image -FROM cgr.dev/chainguard/git@sha256:b0dbd0c3c6a0f44c0522663c3a7f9b47f8e62ed419c88c37199f61308f19829c +FROM cgr.dev/chainguard/git@sha256:fb9f28194b4dda3ea74c68d731238d1f32023849bca04c5652638e8e199fb956 WORKDIR /app diff --git a/trivy-whitelist.openvex b/trivy-whitelist.openvex new file mode 100644 index 00000000..de08cdaf --- /dev/null +++ b/trivy-whitelist.openvex @@ -0,0 +1,9 @@ +{ + "@context": "https://openvex.dev/ns", + "@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f", + "timestamp": "2024-05-08T16:00:16.853479631-06:00", + "version": 1, + "author":"Omer fainshtein", + "statements": [ + ] +}