Skip to content

sbom

sbom #33

Workflow file for this run

name: Container Scan
on:
workflow_call:
# push:
# branches:
# - dev
# - main
pull_request:
branches:
- dev
workflow_dispatch:
inputs:
none:
description: "Run Tests Manually"
required: false
jobs:
# scan-backend-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# # Build the docker image for testing
# - name: Build a Docker image
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "backend:${{ github.sha }}"
# format: "template"
# template: "@/contrib/sarif.tpl"
# output: "trivy-results.sarif"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# scan-backend-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@master
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test backend:${{ github.sha }} --file=packages/grid/backend/backend.dockerfile --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
# scan-frontend-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "frontend:${{ github.sha }}"
# format: "template"
# template: "@/contrib/sarif.tpl"
# output: "trivy-results.sarif"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# scan-frontend-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@master
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test frontend:${{ github.sha }} --file=packages/grid/frontend/frontend.dockerfile --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
# scan-tailscale-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "tailscale:${{ github.sha }}"
# format: "template"
# template: "@/contrib/sarif.tpl"
# output: "trivy-results.sarif"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# scan-tailscale-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@master
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test tailscale:${{ github.sha }} --file=packages/grid/vpn/tailscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
# scan-headscale-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "headscale:${{ github.sha }}"
# format: "template"
# template: "@/contrib/sarif.tpl"
# output: "trivy-results.sarif"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# scan-headscale-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@master
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Build the docker image for testing
# - name: Build a Docker image
# shell: bash
# run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache
# # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test headscale:${{ github.sha }} --file=packages/grid/vpn/headscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
# scan-syft-requirements:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# #Generate SBOM
# - name: Generate SBOM
# run: |
# pip install ./packages/syft
# pip install cyclonedx-bom
# pip freeze > requirements.txt
# cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json
# #Trivy scan SBOM
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# run: |
# sudo apt-get install wget apt-transport-https gnupg lsb-release
# wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
# echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
# sudo apt-get update
# sudo apt-get install trivy
# trivy sbom syft.sbom.json --format sarif --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s
# #Upload SBOM to GitHub Security tab
# - name: Upload SBOM to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
# #upload SBOM to github artifacts
# - name: Upload SBOM to GitHub Artifacts
# uses: actions/upload-artifact@v2
# with:
# name: syft.sbom.json
# path: syft.sbom.json
scan-mongo-latest-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "mongo:latest"
format: "cyclonedx"
output: "mongo-trivy-results.sbom.json"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: "trivy-results.sarif"
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: mongo-trivy-results.sbom.json
path: mongo-trivy-results.sbom.json
# scan-mongo-latest-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@master
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test mongo:7.0-rc --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif
# scan-traefik-trivy:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Run Trivy vulnerability scanner
# continue-on-error: true
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "traefik:v2.8.1"
# format: "cyclonedx"
# output: "traefik-trivy-results.sbom.json"
# severity: "CRITICAL,HIGH"
# timeout: "10m0s"
# - name: Upload SBOM to GitHub Artifacts
# uses: actions/upload-artifact@v2
# with:
# name: traefik-trivy-results.sbom.json
# path: traefik-trivy-results.sbom.json
# scan-traefik-snyk:
# permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - name: Set up Snyk CLI to check for security issues
# # Snyk can be used to break the build when it detects security issues.
# # In this case we want to upload the SAST issues to GitHub Code Scanning
# uses: snyk/actions/setup@master
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk auth
# shell: bash
# run: snyk config set api=$SNYK_TOKEN
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# - name: Snyk Container test
# continue-on-error: true
# shell: bash
# run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif
# env:
# # This is where you will need to introduce the Snyk API token created with your Snyk account
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# # Push the Snyk Code results into GitHub Code Scanning tab
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-code.sarif