Merge pull request #18 from ba-st/add_vulnerability_scanner

gcotelli · web-flow · commit c95e18ca5cfd · 2024-04-18T18:42:58.000-03:00
Add vulnerability scanning
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -12,6 +12,9 @@ on:
 jobs:
   build_and_publish:
     name: Build and Publish Docker images
+    permissions:
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -108,3 +111,21 @@ jobs:
           tags: ${{ steps.docker_meta_runtime_gem.outputs.tags }}
           labels: ${{ steps.docker_meta_runtime_gem.outputs.labels }}
           secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
+
+      # Scan for vulnerabilities
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.ref_name }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml
@@ -0,0 +1,27 @@
+name: Scheduled vulnerability scanning
+on:
+  schedule:
+    - cron: '35 6 * * 2'
+  workflow_dispatch:
+jobs:
+  vulnerability-scan:
+    permissions:
+      contents: read
+      security-events: write
+    name: Scheduled scan for vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/gs64:latest
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/source/Dockerfile b/source/Dockerfile
@@ -15,6 +15,7 @@ ENV GS_UID=1001
 ENV GS_GID=100
 
 RUN  apt-get update \
+  && apt-get upgrade -y \
   && apt-get install --assume-yes --no-install-recommends \
      ca-certificates \
      gosu \
