Trivy CVE Dependency Scanner #779
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy CVE Dependency Scanner | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| scan-latest-release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get Latest Release Docker Image Sha | |
| id: latest-sha | |
| run: | | |
| set -eo pipefail | |
| # Get the latest released docker image sha | |
| curl -sL https://api.github.com/repos/carvel-dev/kapp-controller/releases/latest | jq -r '.assets[] | select(.name | contains("release.yml")).browser_download_url' | wget -i - | |
| echo "image=$(yq eval '.spec.template.spec.containers[0].image' release.yml -N -oj | jq 'select(. != null)' -r)" >> $GITHUB_OUTPUT | |
| echo "tag=$(curl -sL https://api.github.com/repos/carvel-dev/kapp-controller/releases/latest | jq -r '.tag_name')" >> $GITHUB_OUTPUT | |
| - name: Install Trivy | |
| run: | | |
| # https://aquasecurity.github.io/trivy/v0.18.3/installation/ | |
| sudo apt-get install wget apt-transport-https gnupg lsb-release | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
| echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| - name: Run Trivy | |
| run: | | |
| trivy image ${{ steps.latest-sha.outputs.image }} | |
| trivy image --format json --output trivy-results-image-latest.json ${{ steps.latest-sha.outputs.image }} | |
| - name: Check for new Vulnerabilities | |
| run: | | |
| set -eo pipefail | |
| summary="Trivy scan has found \"new\" vulnerabilities in ${{steps.latest-sha.outputs.tag}} check https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" | |
| vulnCount=$(jq '[ .Results[].Vulnerabilities ] | length' trivy-results-image-latest.json) | |
| if [[ $vulnCount -eq 0 ]]; then | |
| summary="Trivy Scan has not found any new Security Issues in ${{steps.latest-sha.outputs.tag}}" | |
| fi | |
| echo "SUMMARY=$summary" >> "$GITHUB_ENV" | |
| - name: Send Slack Notification | |
| if: success() | |
| uses: slackapi/slack-github-action@v1.23.0 | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| with: | |
| channel-id: C010XR15VHU | |
| slack-message: "${{ env.SUMMARY }}" | |
| - name: Send Failure notification | |
| if: failure() | |
| uses: slackapi/slack-github-action@v1.23.0 | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| with: | |
| channel-id: C010XR15VHU | |
| slack-message: "Trivy scan workflow [${{steps.latest-sha.outputs.tag}}] failed. Please check the latest github action run for trivy scanner." | |
| scan-develop-branch: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go 1.x | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.21.9 | |
| - name: Build the kapp-controller artifacts | |
| run: | | |
| ./hack/install-deps.sh | |
| ./hack/build.sh | |
| # docker image | |
| docker buildx build -t docker.io/carvel/kapp-controller:${{ github.sha }} . | |
| # kctrl | |
| cd cli | |
| ./hack/build.sh | |
| mv ./kctrl ../ | |
| - name: Install Trivy | |
| run: | | |
| # https://aquasecurity.github.io/trivy/v0.18.3/installation/ | |
| sudo apt-get install wget apt-transport-https gnupg lsb-release | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
| echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| - name: Read dismissed CVEs from Github | |
| run: | | |
| set -o pipefail | |
| trap 'on_error' ERR | |
| on_error() { | |
| echo "the curl reply was:" | |
| cat cves.txt | |
| } | |
| curl https://api.github.com/repos/carvel-dev/kapp-controller/code-scanning/alerts \ | |
| --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' > cves.txt | |
| cat cves.txt| jq '.[] | select(.state == "dismissed" or .state == "closed" or .state == "fixed") | .rule.id' | tr -d '"' > .trivyignore | |
| - name: Run Trivy Reports | |
| run: | | |
| set -o pipefail | |
| # kapp-controller binary - output in sarif and json | |
| trivy rootfs --ignore-unfixed --format sarif --output trivy-results.sarif "controller" | |
| trivy rootfs --ignore-unfixed --format json --output trivy-results.json "controller" | |
| # kapp-controller docker image - output in sarif and json | |
| trivy image --ignore-unfixed --format sarif --output trivy-results-image.sarif "docker.io/carvel/kapp-controller:${{ github.sha }}" | |
| trivy image --ignore-unfixed --format json --output trivy-results-image.json "docker.io/carvel/kapp-controller:${{ github.sha }}" | |
| # kctrl binary - output in sarif and json | |
| trivy rootfs --ignore-unfixed --format sarif --output trivy-results-kctrl.sarif "kctrl" | |
| trivy rootfs --ignore-unfixed --format json --output trivy-results-kctrl.json "kctrl" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: '.' | |
| - name: Create Issues Summary | |
| id: cve-summary | |
| run: | | |
| set -eo pipefail | |
| summary_binary=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results.json | tr -d \\ | tr -d '"') | |
| summary_image=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results-image.json | tr -d \\ | tr -d '"') | |
| summary_kctrl=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results-kctrl.json | tr -d \\ | tr -d '"') | |
| summary=$( echo -e "Binary Image Summary:\n$summary_binary\nDocker Image Summary:\n$summary_image\nkctrl Summary:\n$summary_kctrl") | |
| # Escape '%', '\n' and '\r' to support multiline strings with set-output | |
| # https://github.com/orgs/community/discussions/26288 | |
| summary="${summary//'%'/'%25'}" | |
| summary="${summary//$'\n'/'%0A'}" | |
| summary="${summary//$'\r'/'%0D'}" | |
| if [[ -n $summary_binary || -n $summary_image || -n $summary_kctrl ]] | |
| then | |
| echo "Summary: $summary" | |
| echo "summary=$summary" >> $GITHUB_OUTPUT | |
| else | |
| echo "No new Issues were found" | |
| fi | |
| - name: Send Slack Notification if Scan Ran Successfully | |
| if: steps.cve-summary.outputs.summary != '' | |
| uses: slackapi/slack-github-action@v1.23.0 | |
| with: | |
| slack-message: "New CVEs found! Check https://github.com/carvel-dev/kapp-controller/security/code-scanning for details \n ${{ steps.cve-summary.outputs.summary }}" | |
| channel-id: C010XR15VHU | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| - name: Send Failure notification | |
| if: failure() | |
| uses: slackapi/slack-github-action@v1.23.0 | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| with: | |
| channel-id: C010XR15VHU | |
| slack-message: "Trivy scan workflow failed. Check: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}." |