Merge pull request #9 from scality/feature/trivy_workflow

🎨 Adding trivy workflow file
scality · Mar 7, 2023 · 0f0b774 · 0f0b774
2 parents 97f0dd5 + 4c6cfe3
commit 0f0b774
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 2 deletions.
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -6,3 +6,9 @@ jobs:
     with:
       context: tests/docker
       name: test
+
+  trivy:
+    needs: docker-build
+    uses: ./.github/workflows/trivy.yaml
+    with:
+      name: '/test'
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,51 @@
+---
+name: trivy
+on:
+  workflow_call:
+    inputs:
+      name:
+        required: true
+        type: string
+      namespace:
+        required: false
+        type: string
+        default: "${{ github.repository }}"
+      tag:
+        required: false
+        type: string
+        default: "${{ github.sha }}"
+      registry:
+        required: false
+        type: string
+        default: "ghcr.io"
+    secrets:
+      REGISTRY_LOGIN:
+        required: false
+      REGISTRY_PASSWORD:
+        required: false
+
+jobs:
+  trivy:
+    env:
+      TRIVY_USERNAME: "${{ secrets.REGISTRY_LOGIN || github.repository_owner }}"
+      TRIVY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}"
+    name: Trivy Vulnerability Scan for images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Image Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ inputs.registry }}/${{ inputs.namespace }}/${{ inputs.name }}:${{ inputs.tag }}"
+          format: 'sarif'
+          output: 'trivy-image-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+
+      - name: Upload Trivy Image scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-image-results.sarif'
+          category: 'image'
diff --git a/README.md b/README.md
@@ -49,7 +49,6 @@ jobs:
 For more information about all inputs available checkout
 the [workflow definition](./.github/workflows/docker-build.yaml).
 
-
 ## Known issues
 
 ### Using secrets or env properties as inputs is not supported
@@ -89,4 +88,19 @@ to be called with the `secrets` parameter
       uses: scality/workflow/.github/workflows/my-workflow.yaml@v1
       with:
         foo: ${{ needs.previous-job.outputs.foo }}
-  ```
+  ```
+
+## Trivy
+
+`trivy.yaml` is a GitHub Actions workflow that utilizes Trivy,
+an open-source vulnerability scanner for Docker containers and images.
+The action is triggered when a workflow is called with an image-ref input.
+It performs the following:
+
+* A scan of the specified Docker image with Trivy using the [trivy action](https://github.com/aquasecurity/trivy-action).
+* Upload the Trivy scan results in SARIF format to GitHub Security tab
+using the [upload-sarif](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github) action.
+
+This configuration file enables easy integration of vulnerability scanning
+for Docker images into a GitHub CI/CD pipeline. Results can be viewed in the
+GitHub Security tab for further analysis and vulnerability remediation.