Skip to content

Trivy Security Scan on repository #47

Trivy Security Scan on repository

Trivy Security Scan on repository #47

name: Trivy Security Scan on repository
on:
push:
branches:
- main
pull_request:
schedule:
- cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC
# Below is for manual scanning
workflow_dispatch:
env:
FULL_SUMMARY: ""
PATCH_SUMMARY: ""
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Cancel previous workflow runs
uses: styfle/[email protected]
with:
access_token: ${{ github.token }}
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode - SARIF
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-repo-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-repo-results.sarif'
- name: Run Trivy vulnerability scanner in repo mode - JSON (Full)
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'json'
output: 'trivy-repo-full-results.json'
- name: Create summary of trivy issues on Repository Full scan
run: |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
if [ -z $summary ]
then
summary="No vulnerabilities found"
fi
echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches)
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'json'
output: 'trivy-repo-fixable-results.json'
- name: Create summary of trivy issues on Repository scan
run: |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
if [ -z $summary ]
then
summary="No issues or vulnerability fixes available"
fi
echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV
- name: Generate trivy HTML report on Repository for download
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'template'
template: '@/contrib/html.tpl'
output: 'trivy-repo-report.html'
- name: Upload Trivy results as an artifact
uses: actions/upload-artifact@v3
with:
name: "trivy-repo-report.html"
path: './trivy-repo-report.html'
retention-days: 30
- name: Send Slack Notification
uses: slackapi/[email protected]
with:
payload: |
{
"text": "Trivy scan results for ${{ github.repository }} repository",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " Total Vulnerabilities: ${{ env.FULL_SUMMARY }}"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": " View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days."
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK