Skip to content

Container Scan

Container Scan #4

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, builds an image, performs a container image
# vulnerability scan with Trivy tool, and integrates the results with GitHub Advanced Security
# code scanning feature.
name: Container Scan
on:
workflow_call:
schedule:
- cron: '00 07 * * *'
permissions:
contents: read
env:
DOCKERFILE: src/main/docker/Dockerfile
jobs:
BuildAndScan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
outputs:
CVE_CRITICAL: ${{env.CVE_CRITICAL}}
CVE_HIGH: ${{env.CVE_HIGH}}
CVE_MEDIUM: ${{env.CVE_MEDIUM}}
steps:
- name: "Checkout the code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
- name: "Build the Docker image"
run: docker build . --file ${{ env.DOCKERFILE }} --target cve --tag localbuild/testimage:latest
- name: "Run the Trivy scan action itself with GitHub Advanced Security code scanning integration enabled"
id: scan
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
with:
image-ref: "localbuild/testimage:latest"
format: 'sarif'
output: 'results.sarif'
- name: "Upload Anchore Scan Report"
uses: github/codeql-action/upload-sarif@cbe18979603527f12c7871a6eb04833ecf1548c7 # CodeQL Bundle v2.19.3
with:
sarif_file: 'results.sarif'
- name: "CVE Description escaped extraction and print"
run: |
SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
echo $SCAN_RESULTS
- name: "Fails if CVE HIGH or CRITICAL are detected"
id: cve-threshold
if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
run: exit 1
SendSlackNotification:
needs: BuildAndScan
uses: ./.github/workflows/send-notification.yml
if: github.event_name == 'schedule' && needs.BuildAndScan.steps.cve-threshold.outcome == 'failure'
with:
CVE_CRITICAL: ${{needs.BuildAndScan.outputs.CVE_CRITICAL}}
CVE_HIGH: ${{needs.BuildAndScan.outputs.CVE_HIGH}}
CVE_MEDIUM: ${{needs.BuildAndScan.outputs.CVE_MEDIUM}}
secrets: inherit