diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 92a12505d44..ef20db08012 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -3,10 +3,10 @@ name: Container Scan on: workflow_call: - # push: - # branches: - # - dev - # - main + push: + branches: + - dev + - main workflow_dispatch: inputs: @@ -31,7 +31,7 @@ jobs: - name: Run Trivy vulnerability scanner continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@master with: image-ref: "backend:${{ github.sha }}" format: "template" @@ -56,7 +56,7 @@ jobs: - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + uses: snyk/actions/setup@master env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -105,7 +105,7 @@ jobs: - name: Run Trivy vulnerability scanner continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@master with: image-ref: "frontend:${{ github.sha }}" format: "template" @@ -130,7 +130,7 @@ jobs: - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + uses: snyk/actions/setup@master env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -179,7 +179,7 @@ jobs: - name: Run Trivy vulnerability scanner continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@master with: image-ref: "tailscale:${{ github.sha }}" format: "template" @@ -204,7 +204,7 @@ jobs: - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + uses: snyk/actions/setup@master env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -253,7 +253,7 @@ jobs: - name: Run Trivy vulnerability scanner continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@master with: image-ref: "headscale:${{ github.sha }}" format: "template" @@ -278,7 +278,7 @@ jobs: - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + uses: snyk/actions/setup@master env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -309,3 +309,170 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk-code.sarif + + scan-syft-requirements: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + #Generate SBOM + - name: Generate SBOM + run: | + pip install ./packages/syft + pip install cyclonedx-bom + pip freeze > requirements.txt + cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json + + #Trivy scan SBOM + - name: Run Trivy vulnerability scanner + continue-on-error: true + run: | + sudo apt-get install wget apt-transport-https gnupg lsb-release + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - + echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy + trivy sbom syft.sbom.json --format sarif --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s + + #Upload SBOM to GitHub Security tab + - name: Upload SBOM to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + + #upload SBOM to github artifacts + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 + with: + name: syft.sbom.json + path: syft.sbom.json + + scan-mongo-latest-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "mongo:7.0-rc" + format: "github" + template: "@/contrib/sarif.tpl" + output: "mongo-trivy-results.sbom.json" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 + with: + name: mongo-trivy-results.sbom.json + path: mongo-trivy-results.sbom.json + + scan-mongo-latest-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test mongo:7.0-rc --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif + + scan-traefik-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "traefik:v2.8.1" + format: "github" + template: "@/contrib/sarif.tpl" + output: "traefik-trivy-results.sbom.json" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 + with: + name: traefik-trivy-results.sbom.json + path: traefik-trivy-results.sbom.json + + scan-traefik-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif