|
1 | 1 | name: Trivy images check |
2 | 2 |
|
3 | | -env: |
4 | | - MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }} |
5 | | - MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }} |
6 | | - PR_NUMBER: ${{ github.event.pull_request.number }} |
7 | | - MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }} |
8 | | - MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} |
9 | | - MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} |
10 | | - |
11 | 3 | on: |
12 | 4 | pull_request: |
| 5 | + types: [opened, reopened, labeled, synchronize] |
| 6 | + push: |
| 7 | + branches: |
| 8 | + - main |
| 9 | + workflow_dispatch: |
| 10 | + inputs: |
| 11 | + release_branch: |
| 12 | + description: 'release branch name, example: release-1.68' |
| 13 | + required: false |
13 | 14 |
|
14 | 15 | jobs: |
15 | 16 | build_dev: |
| 17 | + if: github.event_name == 'pull_request' |
16 | 18 | uses: ./.github/workflows/build_dev.yml |
17 | 19 | secrets: inherit |
18 | | - test: |
| 20 | + cve_scan_on_pr: |
| 21 | + if: github.event_name == 'pull_request' |
19 | 22 | name: Trivy images check |
20 | 23 | runs-on: [self-hosted, regular] |
21 | 24 | needs: [build_dev] |
22 | | - |
23 | 25 | steps: |
24 | 26 | - uses: actions/checkout@v4 |
25 | | - - uses: deckhouse/modules-actions/setup@v1 |
26 | | - |
27 | | - - name: Check and Install Latest Trivy |
28 | | - run: | |
29 | | - mkdir -p $HOME/bin |
30 | | -
|
31 | | - LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name") |
32 | | - CLEAN_VERSION=${LATEST_VERSION#v} |
33 | | -
|
34 | | - INSTALL_TRIVY=true |
35 | | -
|
36 | | - if [[ -f "$HOME/bin/trivy" ]]; then |
37 | | - INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') |
38 | | - if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then |
39 | | - echo "Trivy is already up-to-date (version $INSTALLED_VERSION)." |
40 | | - INSTALL_TRIVY=false |
41 | | - else |
42 | | - echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION." |
43 | | - fi |
44 | | - else |
45 | | - echo "Trivy is not installed. Installing version $CLEAN_VERSION." |
46 | | - fi |
47 | | -
|
48 | | - if [ "$INSTALL_TRIVY" = true ]; then |
49 | | - wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz |
50 | | - tar zxvf trivy.tar.gz -C $HOME/bin |
51 | | - fi |
52 | | -
|
53 | | - echo "$HOME/bin" >> $GITHUB_PATH |
54 | | -
|
55 | | - - name: Run Trivy vulnerability scanner in image mode |
| 27 | + - uses: deckhouse/modules-actions/cve_scan@main |
| 28 | + with: |
| 29 | + image: ${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }} |
| 30 | + tag: pr${{ github.event.number }} |
| 31 | + module_name: ${{ vars.MODULE_NAME }} |
| 32 | + dd_url: ${{secrets.DEFECTDOJO_HOST}} |
| 33 | + dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}} |
| 34 | + trivy_registry: ${{ vars.PROD_REGISTRY }} |
| 35 | + trivy_registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} |
| 36 | + trivy_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }} |
| 37 | + deckhouse_private_repo: ${{secrets.DECKHOUSE_PRIVATE_REPO}} |
| 38 | + cve_scan: |
| 39 | + if: github.event_name != 'pull_request' |
| 40 | + name: Trivy images check |
| 41 | + runs-on: [self-hosted, regular] |
| 42 | + steps: |
| 43 | + - uses: actions/checkout@v4 |
| 44 | + - name: Sets env vars for manual run |
56 | 45 | run: | |
57 | | - exit_code=0 |
58 | | - image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME |
59 | | - image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER |
60 | | - |
61 | | - crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]') |
62 | | - |
63 | | - while read -r item; do |
64 | | - key=$(echo "$item" | jq -r '.key') |
65 | | - value=$(echo "$item" | jq -r '.value') |
66 | | -
|
67 | | - echo 'Checking image '$key' '$value |
68 | | -
|
69 | | - trivy image --quiet --config trivy-silent.yaml --format table $image_name@$value |
70 | | -
|
71 | | - result=$(trivy image --quiet --config trivy-silent.yaml --format json $image_name@$value) |
72 | | -
|
73 | | - vulnerabilities=$(echo "$result" | jq '[.Results[]? | select(has("Vulnerabilities")) | .Vulnerabilities | length] | add // 0') |
74 | | -
|
75 | | - if [ "$vulnerabilities" -gt 0 ]; then |
76 | | - echo "There are vulnerabilities in image" |
77 | | - exit_code=1 |
78 | | - else |
79 | | - echo "There are no vulnerabilities in image" |
80 | | - fi |
81 | | - done <<< "$crane_output" |
82 | | -
|
83 | | - exit $exit_code |
| 46 | + echo "MODULE_IMAGE_TAG=${{ github.event.inputs.release_branch || 'main' }}" >> $GITHUB_ENV |
| 47 | + if: github.event_name != 'workflow_dispatch' |
| 48 | + - uses: deckhouse/modules-actions/cve_scan@main |
| 49 | + with: |
| 50 | + image: ${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }} |
| 51 | + tag: ${{ env.MODULE_IMAGE_TAG || 'main' }} |
| 52 | + module_name: ${{ vars.MODULE_NAME }} |
| 53 | + dd_url: ${{secrets.DEFECTDOJO_HOST}} |
| 54 | + dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}} |
| 55 | + trivy_registry: ${{ vars.PROD_REGISTRY }} |
| 56 | + trivy_registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} |
| 57 | + trivy_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }} |
| 58 | + deckhouse_private_repo: ${{secrets.DECKHOUSE_PRIVATE_REPO}} |
0 commit comments