Trivy

trask · trask · commit a913318b0df8 · 2025-07-29T08:59:35.000-07:00
diff --git a/.github/workflows/trivy-security-scan.yml b/.github/workflows/trivy-security-scan.yml
@@ -0,0 +1,174 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches:
+      - main
+      - release/*
+  pull_request:
+    branches:
+      - main
+      - release/*
+  schedule:
+    # Run daily at 2:00 AM UTC
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write # for uploading SARIF results
+  actions: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+jobs:
+  trivy-fs-scan:
+    name: Trivy Filesystem Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Trivy vulnerability scanner in filesystem mode
+        uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.29.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-fs-results.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          trivyignores: '.trivyignore'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        if: always()
+        with:
+          sarif_file: 'trivy-fs-results.sarif'
+
+      - name: Upload filesystem scan results as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
+        with:
+          name: trivy-fs-scan-results
+          path: trivy-fs-results.sarif
+
+  trivy-java-scan:
+    name: Trivy Java Dependencies Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up JDK for running Gradle
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Set up gradle
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
+        with:
+          cache-read-only: ${{ github.event_name == 'pull_request' }}
+
+      - name: Build project
+        run: ./gradlew build -x test
+
+      - name: Run Trivy vulnerability scanner for Java dependencies
+        uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.29.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln'
+          format: 'sarif'
+          output: 'trivy-java-results.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          trivyignores: '.trivyignore'
+
+      - name: Upload Java dependencies scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        if: always()
+        with:
+          sarif_file: 'trivy-java-results.sarif'
+
+      - name: Upload Java scan results as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
+        with:
+          name: trivy-java-scan-results
+          path: trivy-java-results.sarif
+
+  trivy-config-scan:
+    name: Trivy Configuration Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Trivy configuration scanner
+        uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.29.0
+        with:
+          scan-type: 'config'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-config-results.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          trivyignores: '.trivyignore'
+
+      - name: Upload configuration scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        if: always()
+        with:
+          sarif_file: 'trivy-config-results.sarif'
+
+      - name: Upload configuration scan results as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
+        with:
+          name: trivy-config-scan-results
+          path: trivy-config-results.sarif
+
+  trivy-secret-scan:
+    name: Trivy Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Trivy secret scanner
+        uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.29.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'secret'
+          format: 'sarif'
+          output: 'trivy-secret-results.sarif'
+          trivyignores: '.trivyignore'
+
+      - name: Upload secret scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        if: always()
+        with:
+          sarif_file: 'trivy-secret-results.sarif'
+
+      - name: Upload secret scan results as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
+        with:
+          name: trivy-secret-scan-results
+          path: trivy-secret-results.sarif
+
+  workflow-notification:
+    permissions:
+      contents: read
+      issues: write
+    needs:
+      - trivy-fs-scan
+      - trivy-java-scan
+      - trivy-config-scan
+      - trivy-secret-scan
+    if: always()
+    uses: ./.github/workflows/reusable-workflow-notification.yml
+    with:
+      success: ${{ !contains(needs.*.result, 'failure') }}
diff --git a/.trivy.yaml b/.trivy.yaml
@@ -0,0 +1,66 @@
+# Trivy configuration file
+# https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
+
+# Vulnerability detection settings
+vulnerability:
+  # Ignore unfixed vulnerabilities
+  ignore-unfixed: false
+  # Security scanner types to run
+  type: "vuln"
+
+# Misconfiguration detection settings
+misconfiguration:
+  # Scan for misconfigurations
+  enabled: true
+  # Include test files in misconfiguration scans
+  include-non-failures: false
+
+# Secret detection settings
+secret:
+  # Enable secret scanning
+  enabled: true
+
+# License detection settings  
+license:
+  # Skip license scanning for now
+  enabled: false
+
+# Output settings
+format: "table"
+output: ""
+
+# Cache settings
+cache:
+  # Cache directory (will be set by GitHub Actions)
+  dir: ""
+
+# Database settings
+db:
+  # Skip database update
+  skip-update: false
+
+# Skip directories and files
+skip-dirs:
+  - "**/.gradle/**"
+  - "**/build/**"
+  - "**/target/**"
+  - "**/.git/**"
+  - "**/node_modules/**"
+
+skip-files:
+  - "**/*.log"
+  - "**/*.tmp"
+  - "**/.DS_Store"
+
+# Vulnerability severity levels to include
+severity:
+  - "CRITICAL"
+  - "HIGH" 
+  - "MEDIUM"
+
+# Exit code settings
+exit-code: 0  # Don't fail the build on vulnerabilities found
+
+# Ignore specific vulnerabilities (example)
+# IgnoreVulnerabilities:
+#   - "CVE-2023-12345"  # Example: ignore specific CVE if needed
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,11 @@
+# Trivy ignore file
+# Use this file to ignore specific vulnerabilities that are false positives
+# or have been assessed as acceptable risks
+#
+# Format: CVE-ID [REASON]
+# Example:
+# CVE-2023-12345 This vulnerability does not affect our usage pattern
+# CVE-2024-67890 Fixed in upcoming release, temporary ignore
+
+# Add specific CVEs to ignore here when needed
+# Each line should contain a CVE ID and optionally a reason for ignoring it
diff --git a/README.md b/README.md
@@ -47,6 +47,33 @@ On reaching stable status, the `otel.stable` value in `gradle.properties` should
 Note that currently all the libraries are released together with the version of this repo, so breaking changes (after stable
 status is reached) would bump the major version of all libraries together. This could get complicated so `stable` has a high bar.
 
+## Security
+
+This project takes security seriously and implements multiple layers of security scanning:
+
+- **[Trivy Security Scanning](./docs/TRIVY_SECURITY_SCANNING.md)** - Comprehensive vulnerability, configuration, and secret scanning
+- **CodeQL Analysis** - Static code analysis for security vulnerabilities  
+- **OWASP Dependency Check** - Daily dependency vulnerability scanning
+- **OSSF Scorecard** - Security best practices assessment
+
+### Security Scanning
+
+Automated security scans run on every pull request and daily via GitHub Actions. You can also run scans locally:
+
+```bash
+# Linux/macOS
+./scripts/trivy-local-scan.sh
+
+# Windows  
+scripts\trivy-local-scan.bat
+```
+
+For detailed information about security scanning, see [docs/TRIVY_SECURITY_SCANNING.md](./docs/TRIVY_SECURITY_SCANNING.md).
+
+### Reporting Security Issues
+
+Please report security vulnerabilities to the [OpenTelemetry Security Team](https://github.com/open-telemetry/community/blob/main/SECURITY.md).
+
 ## Getting Started
 
 ```bash
