-
Notifications
You must be signed in to change notification settings - Fork 1
254 lines (217 loc) · 9.65 KB
/
docker-security.yml
File metadata and controls
254 lines (217 loc) · 9.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
# Add this to .github/workflows/docker-security.yml
name: 🐳 Docker Security Scan
on:
push:
schedule:
# Run weekly on Sundays at 2 AM UTC
- cron: '0 0 * * 0'
workflow_dispatch:
jobs:
docker_security_scan:
name: 🔍 Container Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
steps:
- name: 🧾 Checkout
uses: actions/checkout@v4
- name: 🔨 Build Docker Image
run: |
docker build -t clickbom:latest .
docker tag clickbom:latest clickbom:${{ github.sha }}
- name: 🛡️ Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: clickbom:latest
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: 📤 Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: 🔍 Run Trivy for JSON output
uses: aquasecurity/trivy-action@master
with:
image-ref: 'clickbom:latest'
format: 'json'
output: 'trivy-results.json'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
- name: 📊 Generate Security Report
run: |
echo "# 🐳 Container Security Report" > security-report.md
echo "Generated on: $(date)" >> security-report.md
echo "" >> security-report.md
# Trivy Results Summary
echo "## 🛡️ Trivy Scan Results" >> security-report.md
if [ -f "trivy-results.json" ]; then
CRITICAL=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' trivy-results.json 2>/dev/null || echo "0")
HIGH=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH")] | length' trivy-results.json 2>/dev/null || echo "0")
MEDIUM=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "MEDIUM")] | length' trivy-results.json 2>/dev/null || echo "0")
LOW=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "LOW")] | length' trivy-results.json 2>/dev/null || echo "0")
echo "- 🔴 Critical: $CRITICAL" >> security-report.md
echo "- 🟠 High: $HIGH" >> security-report.md
echo "- 🟡 Medium: $MEDIUM" >> security-report.md
echo "- 🟢 Low: $LOW" >> security-report.md
else
echo "- No Trivy results found" >> security-report.md
fi
echo "" >> security-report.md
echo "## 📋 Recommendations" >> security-report.md
echo "1. Review critical and high severity vulnerabilities" >> security-report.md
echo "2. Update base image and dependencies regularly" >> security-report.md
echo "3. Consider using distroless or minimal base images" >> security-report.md
echo "4. Run security scans in CI/CD pipeline" >> security-report.md
- name: 📎 Upload Security Artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: security-scan-results
path: |
trivy-results.json
trivy-results.sarif
security-report.md
retention-days: 30
- name: 🚨 Check for Critical Vulnerabilities
run: |
if [ -f "trivy-results.json" ]; then
CRITICAL=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' trivy-results.json 2>/dev/null || echo "0")
echo "Critical vulnerabilities found: $CRITICAL"
if [ "$CRITICAL" -gt 0 ]; then
echo "::error::Found $CRITICAL critical vulnerabilities in the container image"
echo "::error::Please review and fix critical vulnerabilities before deploying"
# Uncomment the next line if you want to fail the build on critical vulnerabilities
# exit 1
fi
fi
dockerfile_security_scan:
permissions:
contents: read
security-events: write
actions: read
name: 🐋 Dockerfile Security Scan
runs-on: ubuntu-latest
steps:
- name: 🧾 Checkout
uses: actions/checkout@v4
- name: 🔍 Run Hadolint (Dockerfile Linter)
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
format: sarif
output-file: hadolint-results.sarif
no-color: true
failure-threshold: error
continue-on-error: true
- name: 📤 Upload Hadolint scan results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: hadolint-results.sarif
category: hadolint
- name: 🔍 Run Checkov (Infrastructure as Code Security)
uses: bridgecrewio/checkov-action@master
if: always()
with:
directory: .
framework: dockerfile
output_format: sarif
output_file_path: checkov-results.sarif
soft_fail: true
continue-on-error: true
- name: 📤 Upload Checkov scan results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: checkov-results.sarif
category: checkov
- name: 📎 Upload Dockerfile Security Artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: dockerfile-security-results
path: |
hadolint-results.sarif
checkov-results.sarif
retention-days: 30
container_sbom:
name: 📋 Generate Container SBOM
runs-on: ubuntu-latest
needs: docker_security_scan
steps:
- name: 🧾 Checkout
uses: actions/checkout@v4
- name: 🔨 Build Docker Image
run: |
docker build -t clickbom:latest .
- name: 📋 Generate SBOM with Syft
uses: anchore/sbom-action@v0
with:
image: clickbom:latest
format: spdx-json
output-file: container-sbom.spdx.json
- name: 📋 Generate SBOM with Docker Scout
run: |
# Install Docker Scout CLI
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
# Generate SBOM
docker scout sbom clickbom:latest --format spdx --output container-sbom-scout.spdx.json || echo "Docker Scout SBOM generation failed"
- name: 📎 Upload Container SBOM
uses: actions/upload-artifact@v4
with:
name: container-sbom
path: |
container-sbom.spdx.json
container-sbom-scout.spdx.json
retention-days: 30
security_summary:
name: 📊 Security Summary
runs-on: ubuntu-latest
needs: [docker_security_scan, dockerfile_security_scan, container_sbom]
if: always()
steps:
- name: 📥 Download Security Artifacts
uses: actions/download-artifact@v5
with:
name: security-scan-results
path: security-results/
- name: 📥 Download Container SBOM
uses: actions/download-artifact@v5
with:
name: container-sbom
path: sbom-results/
- name: 📊 Create Security Summary
run: |
echo "# 🔒 ClickBOM Container Security Summary" >> $GITHUB_STEP_SUMMARY
echo "**Scan Date:** $(date)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f "security-results/trivy-results.json" ]; then
echo "## 🛡️ Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY
CRITICAL=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' security-results/trivy-results.json 2>/dev/null || echo "0")
HIGH=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH")] | length' security-results/trivy-results.json 2>/dev/null || echo "0")
MEDIUM=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "MEDIUM")] | length' security-results/trivy-results.json 2>/dev/null || echo "0")
LOW=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "LOW")] | length' security-results/trivy-results.json 2>/dev/null || echo "0")
echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
echo "| 🔴 Critical | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
echo "| 🟠 High | $HIGH |" >> $GITHUB_STEP_SUMMARY
echo "| 🟡 Medium | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
echo "| 🟢 Low | $LOW |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
echo "⚠️ **Action Required:** Critical or High severity vulnerabilities found!" >> $GITHUB_STEP_SUMMARY
else
echo "✅ **Good News:** No critical or high severity vulnerabilities found!" >> $GITHUB_STEP_SUMMARY
fi
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "## 📋 Artifacts Generated" >> $GITHUB_STEP_SUMMARY
echo "- Container vulnerability scan results (SARIF format)" >> $GITHUB_STEP_SUMMARY
echo "- Dockerfile security scan results" >> $GITHUB_STEP_SUMMARY
echo "- Container SBOM (Software Bill of Materials)" >> $GITHUB_STEP_SUMMARY
echo "- Security summary report" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "📥 Download artifacts from the workflow run to view detailed results." >> $GITHUB_STEP_SUMMARY