Merge pull request #2378 from subspace/ci-security

trivy and cargo-audit for vulnerability scanning in CI

Author: nazar-pc

.github/workflows/rustsec-audit.yml

@@ -0,0 +1,22 @@
+##
+# This GitHub Action is using cargo-audit to perform an audit for crates with security vulnerabilities.
+# https://github.com/rustsec/audit-check
+##
+
+name: Rustsec Cargo Audit
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+  schedule:
+    - cron: "40 13 * * 0"
+jobs:
+  security_audit:
+    runs-on: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || '"ubuntu-22.04"') }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: rustsec/audit-check@dd51754d4e59da7395a4cd9b593f0ff2d61a9b95 #v1.4.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/snapshot-build.yml

@@ -80,6 +80,13 @@ jobs:
             SUBSTRATE_CLI_GIT_COMMIT_HASH=${{ github.sha }}
             RUSTFLAGS=${{ matrix.platform.rustflags }}
 
+      - name: Trigger trivy-security-scan Workflow
+        uses: peter-evans/repository-dispatch@a4a90276d01e3a2ae44fa10a0247287f045afd59 # @v2.1.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          event-type: trivy-scan-dispatch
+          client-payload: '{"sha": "${{ github.sha }}"}'
+
   executables:
     strategy:
       matrix:
@@ -176,7 +183,7 @@ jobs:
             gcc-aarch64-linux-gnu \
             libc6-dev-arm64-cross \
             zlib1g-dev:arm64
-          
+
           echo "PKG_CONFIG_ALLOW_CROSS=true" >> $GITHUB_ENV
         if: matrix.build.target == 'aarch64-unknown-linux-gnu'
 

.github/workflows/trivy-security-scan.yml

@@ -0,0 +1,60 @@
+##
+# This action runs trivy container and repository vulnerability
+# scanner for docker images and cargo packages.
+##
+
+name: trivy-security-scan
+
+on:
+  repository_dispatch:
+    types: [trivy-scan-dispatch]
+
+jobs:
+  trivy_scan_image:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image:
+          - farmer
+          - node
+          - bootstrap-node
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0
+
+      - name: Run Trivy vulnerability scanner on image
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # @v0.16.1
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}:${{ github.event.client_payload.sha }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # @v2.23.1
+        with:
+          sarif_file: "trivy-results.sarif"
+
+  trivy_scan_repo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # @v0.16.1
+        with:
+          scan-type: fs
+          ignore-unfixed: true
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # @v2.23.1
+        with:
+          sarif_file: trivy-results.sarif