opensrp-server-web/.github/workflows/trivy-repo-scan.yml at master · opensrp/opensrp-server-web · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Trivy Security Scan on repository
on:
  push:
    branches:
      # - master
      # - v2*
      - security-ci-scan   #To be deleted

    # Publish `v1.2.3` tags as releases.
    # tags:
      # - v*
  pull_request:
  schedule:
    - cron: '0 3 * * 1,3'   # CodeQL Scan every Monday and Wednesday at 3 AM UTC
  # Below is for manual scanning
  workflow_dispatch:

env:
  FULL_SUMMARY: ""
  PATCH_SUMMARY: ""

jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04
    steps:
      - name: Cancel previous workflow runs
        uses: styfle/cancel-workflow-action@0.9.1
        with:
          access_token: ${{ github.token }}

      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in repo mode - SARIF
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-repo-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-repo-results.sarif'

      - name: Run Trivy vulnerability scanner in repo mode - JSON (Full)
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'json'
          output: 'trivy-repo-full-results.json'

      - name: Upload Trivy results as an artifact
        uses: actions/upload-artifact@v3
        with:
          name: "trivy-repo-full-results.json"
          path: './trivy-repo-full-results.json'

      - name: Import Trivy Findings to DefectDojo
        uses: portswigger-cloud/defectdojo-import-scan@v1
        with:
          defectdojo-url: ${{ secrets.DEFECTOJO_URL }}
          defectdojo-username: ${{ secrets.DEFECTOJO_USERNAME }}
          defectdojo-password: ${{ secrets.DEFECTOJO_PASSWORD }}
          defectdojo-product-type: OPENSRP
          defectdojo-product: OpenSRP-Server-Web
          defectdojo-environment-type: Test
          defectdojo-scan-type: Trivy Scan
          defectdojo-engagement-name: Github Actions Initiated Trivy SAST Scan
          scan-results-file-name: trivy-repo-full-results.json

      - name: Create summary of trivy issues on Repository Full scan
        run: |
          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
          if [ -z $summary ]
          then
            summary="No vulnerabilities found"
          fi
          echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV

      - name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches)
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'json'
          output: 'trivy-repo-fixable-results.json'

      - name: Create summary of trivy issues on Repository scan
        run: |
          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
          if [ -z $summary ]
          then
            summary="No issues or vulnerability fixes available"
          fi
          echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV

      - name: Generate trivy HTML report on Repository for download
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'template'
          template: '@/contrib/html.tpl'
          output: 'trivy-repo-report.html'

      - name: Upload Trivy results as an artifact
        uses: actions/upload-artifact@v3
        with:
          name: "trivy-repo-report.html"
          path: './trivy-repo-report.html'
          retention-days: 30

      - name: Send Slack Notification
        uses: slackapi/slack-github-action@v1.23.0
        with:
          payload: |
            {
              "text": "Trivy scan results for ${{ github.repository }} repository",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY"
                  }
                },
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "   Total Vulnerabilities: ${{ env.FULL_SUMMARY }}"
                  }
                },
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "   Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}"
                  }
                },
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "   View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days."
                  }
                }
              ]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK