Skip to content

Commit

Permalink
Merge pull request #7956 from OpenMined/add-sbom-to-workflow
Browse files Browse the repository at this point in the history
add sbom to container scan
  • Loading branch information
bitsofsteve authored Jul 19, 2023
2 parents f3dd1d2 + 0a62a3e commit 457eaec
Showing 1 changed file with 179 additions and 12 deletions.
191 changes: 179 additions & 12 deletions .github/workflows/container-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ name: Container Scan
on:
workflow_call:

# push:
# branches:
# - dev
# - main
push:
branches:
- dev
- main

workflow_dispatch:
inputs:
Expand All @@ -31,7 +31,7 @@ jobs:

- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
uses: aquasecurity/trivy-action@master
with:
image-ref: "backend:${{ github.sha }}"
format: "template"
Expand All @@ -56,7 +56,7 @@ jobs:
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Expand Down Expand Up @@ -105,7 +105,7 @@ jobs:

- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
uses: aquasecurity/trivy-action@master
with:
image-ref: "frontend:${{ github.sha }}"
format: "template"
Expand All @@ -130,7 +130,7 @@ jobs:
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Expand Down Expand Up @@ -179,7 +179,7 @@ jobs:

- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
uses: aquasecurity/trivy-action@master
with:
image-ref: "tailscale:${{ github.sha }}"
format: "template"
Expand All @@ -204,7 +204,7 @@ jobs:
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Expand Down Expand Up @@ -253,7 +253,7 @@ jobs:

- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
uses: aquasecurity/trivy-action@master
with:
image-ref: "headscale:${{ github.sha }}"
format: "template"
Expand All @@ -278,7 +278,7 @@ jobs:
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Expand Down Expand Up @@ -309,3 +309,170 @@ jobs:
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif

scan-syft-requirements:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

#Generate SBOM
- name: Generate SBOM
run: |
pip install ./packages/syft
pip install cyclonedx-bom
pip freeze > requirements.txt
cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json
#Trivy scan SBOM
- name: Run Trivy vulnerability scanner
continue-on-error: true
run: |
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
trivy sbom syft.sbom.json --format sarif --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s
#Upload SBOM to GitHub Security tab
- name: Upload SBOM to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"

#upload SBOM to github artifacts
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: syft.sbom.json
path: syft.sbom.json

scan-mongo-latest-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "mongo:7.0-rc"
format: "github"
template: "@/contrib/sarif.tpl"
output: "mongo-trivy-results.sbom.json"
severity: "CRITICAL,HIGH"
timeout: "10m0s"

- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: mongo-trivy-results.sbom.json
path: mongo-trivy-results.sbom.json

scan-mongo-latest-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test mongo:7.0-rc --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif

scan-traefik-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "traefik:v2.8.1"
format: "github"
template: "@/contrib/sarif.tpl"
output: "traefik-trivy-results.sbom.json"
severity: "CRITICAL,HIGH"
timeout: "10m0s"

- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: traefik-trivy-results.sbom.json
path: traefik-trivy-results.sbom.json

scan-traefik-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif

0 comments on commit 457eaec

Please sign in to comment.