Skip to content

add sbom to container scan #25

add sbom to container scan

add sbom to container scan #25

Workflow file for this run

name: Container Scan
on:
workflow_call:
pull_request:
branches:
- dev
# push:
# branches:
# - dev
# - main
workflow_dispatch:
inputs:
none:
description: "Run Tests Manually"
required: false
jobs:
# scan-backend-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# # Build the docker image for testing
# - name: Build a Docker image
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
# with:
# image-ref: "backend:${{ github.sha }}"
# format: "template"
# template: "@/contrib/sarif.tpl"
# output: "trivy-results.sarif"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# scan-backend-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test backend:${{ github.sha }} --file=packages/grid/backend/backend.dockerfile --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
# scan-frontend-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
# with:
# image-ref: "frontend:${{ github.sha }}"
# format: "template"
# template: "@/contrib/sarif.tpl"
# output: "trivy-results.sarif"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# scan-frontend-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test frontend:${{ github.sha }} --file=packages/grid/frontend/frontend.dockerfile --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
# scan-tailscale-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
# with:
# image-ref: "tailscale:${{ github.sha }}"
# format: "template"
# template: "@/contrib/sarif.tpl"
# output: "trivy-results.sarif"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# scan-tailscale-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test tailscale:${{ github.sha }} --file=packages/grid/vpn/tailscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
# scan-headscale-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
# with:
# image-ref: "headscale:${{ github.sha }}"
# format: "template"
# template: "@/contrib/sarif.tpl"
# output: "trivy-results.sarif"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# scan-headscale-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test headscale:${{ github.sha }} --file=packages/grid/vpn/headscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
scan-syft-requirements:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
#Generate SBOM
- name: Generate SBOM
run: |
pip install ./packages/syft
pip install cyclonedx-bom
pip freeze > requirements.txt
cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json
#Trivy scan SBOM
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
scan-type: "sbom"
scan-ref: "syft.bom.json"
format: "sarif"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
#Upload SBOM to GitHub Security tab
- name: Upload SBOM to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
#upload SBOM to github artifacts
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: syft.bom.json
path: syft.bom.json
scan-mongo-latest-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: "mongo:latest"
format: "github"
template: "@/contrib/sarif.tpl"
output: "mongo-trivy-results.sbom.json"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: mongo-trivy-results.sbom.json
path: mongo-trivy-results.sbom.json
scan-mongo-latest-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test mongo:latest --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif
scan-traefik-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: "traefik:v2.8.1"
format: "github"
template: "@/contrib/sarif.tpl"
output: "mongo-trivy-results.sbom.json"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: traefik-trivy-results.sbom.json
path: traefik-trivy-results.sbom.json
scan-traefik-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif