From ec3ebc3b25fdfd7084ac60148b0141ac3a346d72 Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Tue, 18 Jul 2023 16:37:00 +0000 Subject: [PATCH 1/9] add sbom to container scan --- .github/workflows/container-scan.yml | 104 +++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 92a12505d44..186edc0ab2b 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -309,3 +309,107 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk-code.sarif + + scan-syft-requirements: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + #Generate SBOM + - name: Generate SBOM + run: | + pip install cyclonedx-bom + pip freeze > requirements.txt + cyclonedx-py -i requirements.txt --format json -o syft.bom.json + + #Trivy scan SBOM + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + scan-type: "sbom" + scan-ref: "syft.bom.json" + format: "sarif" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + #Upload SBOM to GitHub Security tab + - name: Upload SBOM to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + + #upload SBOM to github artifacts + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 + with: + name: syft.bom.json + path: syft.bom.json + + scan-mongo-latest-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: "mongo:latest" + format: "github" + template: "@/contrib/sarif.tpl" + output: "mongo-trivy-results.sbom.json" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + + scan-mongo-latest-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test mongo:latest --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif From d6024b2ff022fbf646da4b90202ff5e936637e89 Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Wed, 19 Jul 2023 11:04:40 +0000 Subject: [PATCH 2/9] testing sbom on Pull request --- .github/workflows/container-scan.yml | 603 +++++++++++++++------------ 1 file changed, 336 insertions(+), 267 deletions(-) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 186edc0ab2b..41f70c93a2d 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -3,6 +3,10 @@ name: Container Scan on: workflow_call: + pull_request: + branches: + - dev + # push: # branches: # - dev @@ -15,154 +19,302 @@ on: required: false jobs: - scan-backend-trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - # Build the docker image for testing - - name: Build a Docker image - run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - - name: Run Trivy vulnerability scanner - continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: "backend:${{ github.sha }}" - format: "template" - template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" - severity: "CRITICAL,HIGH" - timeout: "10m0s" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: "trivy-results.sarif" - - scan-backend-snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Snyk CLI to check for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Build the docker image for testing - - name: Build a Docker image - shell: bash - run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - - name: Snyk auth - shell: bash - run: snyk config set api=$SNYK_TOKEN - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk Container test - continue-on-error: true - shell: bash - run: snyk container test backend:${{ github.sha }} --file=packages/grid/backend/backend.dockerfile --sarif --sarif-file-output=snyk-code.sarif - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Push the Snyk Code results into GitHub Code Scanning tab - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-code.sarif - - scan-frontend-trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - # Build the docker image for testing - - name: Build a Docker image - shell: bash - run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - - name: Run Trivy vulnerability scanner - continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: "frontend:${{ github.sha }}" - format: "template" - template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" - severity: "CRITICAL,HIGH" - timeout: "10m0s" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: "trivy-results.sarif" - - scan-frontend-snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Snyk CLI to check for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Build the docker image for testing - - name: Build a Docker image - shell: bash - run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - - name: Snyk auth - shell: bash - run: snyk config set api=$SNYK_TOKEN - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk Container test - continue-on-error: true - shell: bash - run: snyk container test frontend:${{ github.sha }} --file=packages/grid/frontend/frontend.dockerfile --sarif --sarif-file-output=snyk-code.sarif - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # scan-backend-trivy: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + + # # Build the docker image for testing + # - name: Build a Docker image + # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache + # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: "backend:${{ github.sha }}" + # format: "template" + # template: "@/contrib/sarif.tpl" + # output: "trivy-results.sarif" + # severity: "CRITICAL,HIGH" + # timeout: "10m0s" + + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: "trivy-results.sarif" + + # scan-backend-snyk: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: Set up Snyk CLI to check for security issues + # # Snyk can be used to break the build when it detects security issues. + # # In this case we want to upload the SAST issues to GitHub Code Scanning + # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Build the docker image for testing + # - name: Build a Docker image + # shell: bash + # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache + # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + # - name: Snyk auth + # shell: bash + # run: snyk config set api=$SNYK_TOKEN + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # - name: Snyk Container test + # continue-on-error: true + # shell: bash + # run: snyk container test backend:${{ github.sha }} --file=packages/grid/backend/backend.dockerfile --sarif --sarif-file-output=snyk-code.sarif + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Push the Snyk Code results into GitHub Code Scanning tab + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: snyk-code.sarif + + # scan-frontend-trivy: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + + # # Build the docker image for testing + # - name: Build a Docker image + # shell: bash + # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache + # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: "frontend:${{ github.sha }}" + # format: "template" + # template: "@/contrib/sarif.tpl" + # output: "trivy-results.sarif" + # severity: "CRITICAL,HIGH" + # timeout: "10m0s" + + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: "trivy-results.sarif" + + # scan-frontend-snyk: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: Set up Snyk CLI to check for security issues + # # Snyk can be used to break the build when it detects security issues. + # # In this case we want to upload the SAST issues to GitHub Code Scanning + # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Build the docker image for testing + # - name: Build a Docker image + # shell: bash + # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache + # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + # - name: Snyk auth + # shell: bash + # run: snyk config set api=$SNYK_TOKEN + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # - name: Snyk Container test + # continue-on-error: true + # shell: bash + # run: snyk container test frontend:${{ github.sha }} --file=packages/grid/frontend/frontend.dockerfile --sarif --sarif-file-output=snyk-code.sarif + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Push the Snyk Code results into GitHub Code Scanning tab + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: snyk-code.sarif + + # scan-tailscale-trivy: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + + # # Build the docker image for testing + # - name: Build a Docker image + # shell: bash + # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache + # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: "tailscale:${{ github.sha }}" + # format: "template" + # template: "@/contrib/sarif.tpl" + # output: "trivy-results.sarif" + # severity: "CRITICAL,HIGH" + # timeout: "10m0s" + + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: "trivy-results.sarif" + + # scan-tailscale-snyk: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: Set up Snyk CLI to check for security issues + # # Snyk can be used to break the build when it detects security issues. + # # In this case we want to upload the SAST issues to GitHub Code Scanning + # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Build the docker image for testing + # - name: Build a Docker image + # shell: bash + # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache + # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + # - name: Snyk auth + # shell: bash + # run: snyk config set api=$SNYK_TOKEN + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # - name: Snyk Container test + # continue-on-error: true + # shell: bash + # run: snyk container test tailscale:${{ github.sha }} --file=packages/grid/vpn/tailscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Push the Snyk Code results into GitHub Code Scanning tab + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: snyk-code.sarif + + # scan-headscale-trivy: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + + # # Build the docker image for testing + # - name: Build a Docker image + # shell: bash + # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache + # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: "headscale:${{ github.sha }}" + # format: "template" + # template: "@/contrib/sarif.tpl" + # output: "trivy-results.sarif" + # severity: "CRITICAL,HIGH" + # timeout: "10m0s" + + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: "trivy-results.sarif" + + # scan-headscale-snyk: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: Set up Snyk CLI to check for security issues + # # Snyk can be used to break the build when it detects security issues. + # # In this case we want to upload the SAST issues to GitHub Code Scanning + # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Build the docker image for testing + # - name: Build a Docker image + # shell: bash + # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache + # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + # - name: Snyk auth + # shell: bash + # run: snyk config set api=$SNYK_TOKEN + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # - name: Snyk Container test + # continue-on-error: true + # shell: bash + # run: snyk container test headscale:${{ github.sha }} --file=packages/grid/vpn/headscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Push the Snyk Code results into GitHub Code Scanning tab + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: snyk-code.sarif - # Push the Snyk Code results into GitHub Code Scanning tab - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-code.sarif - - scan-tailscale-trivy: + scan-syft-requirements: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -171,72 +323,41 @@ jobs: steps: - uses: actions/checkout@v3 - # Build the docker image for testing - - name: Build a Docker image - shell: bash - run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + #Generate SBOM + - name: Generate SBOM + run: | + pip install -U syft + pip install cyclonedx-bom + pip freeze > requirements.txt + cyclonedx-py -i requirements.txt --format json -o syft.bom.json + #Trivy scan SBOM - name: Run Trivy vulnerability scanner continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@master with: - image-ref: "tailscale:${{ github.sha }}" - format: "template" + scan-type: "sbom" + scan-ref: "syft.bom.json" + format: "sarif" template: "@/contrib/sarif.tpl" output: "trivy-results.sarif" severity: "CRITICAL,HIGH" timeout: "10m0s" - - name: Upload Trivy scan results to GitHub Security tab + #Upload SBOM to GitHub Security tab + - name: Upload SBOM to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: "trivy-results.sarif" - scan-tailscale-snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Snyk CLI to check for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Build the docker image for testing - - name: Build a Docker image - shell: bash - run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - - name: Snyk auth - shell: bash - run: snyk config set api=$SNYK_TOKEN - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk Container test - continue-on-error: true - shell: bash - run: snyk container test tailscale:${{ github.sha }} --file=packages/grid/vpn/tailscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Push the Snyk Code results into GitHub Code Scanning tab - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + #upload SBOM to github artifacts + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 with: - sarif_file: snyk-code.sarif + name: syft.bom.json + path: syft.bom.json - scan-headscale-trivy: + scan-mongo-latest-trivy: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -245,29 +366,24 @@ jobs: steps: - uses: actions/checkout@v3 - # Build the docker image for testing - - name: Build a Docker image - shell: bash - run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - name: Run Trivy vulnerability scanner continue-on-error: true uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: "headscale:${{ github.sha }}" - format: "template" + image-ref: "mongo:latest" + format: "github" template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" + output: "mongo-trivy-results.sbom.json" severity: "CRITICAL,HIGH" timeout: "10m0s" - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 with: - sarif_file: "trivy-results.sarif" + name: mongo-trivy-results.sbom.json + path: mongo-trivy-results.sbom.json - scan-headscale-snyk: + scan-mongo-latest-snyk: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -283,12 +399,6 @@ jobs: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # Build the docker image for testing - - name: Build a Docker image - shell: bash - run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - name: Snyk auth shell: bash run: snyk config set api=$SNYK_TOKEN @@ -299,7 +409,7 @@ jobs: - name: Snyk Container test continue-on-error: true shell: bash - run: snyk container test headscale:${{ github.sha }} --file=packages/grid/vpn/headscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif + run: snyk container test mongo:latest --sarif --sarif-file-output=snyk-code.sarif env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -310,49 +420,7 @@ jobs: with: sarif_file: snyk-code.sarif - scan-syft-requirements: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - #Generate SBOM - - name: Generate SBOM - run: | - pip install cyclonedx-bom - pip freeze > requirements.txt - cyclonedx-py -i requirements.txt --format json -o syft.bom.json - - #Trivy scan SBOM - - name: Run Trivy vulnerability scanner - continue-on-error: true - uses: aquasecurity/trivy-action@master - with: - scan-type: "sbom" - scan-ref: "syft.bom.json" - format: "sarif" - template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" - severity: "CRITICAL,HIGH" - timeout: "10m0s" - - #Upload SBOM to GitHub Security tab - - name: Upload SBOM to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: "trivy-results.sarif" - - #upload SBOM to github artifacts - - name: Upload SBOM to GitHub Artifacts - uses: actions/upload-artifact@v2 - with: - name: syft.bom.json - path: syft.bom.json - - scan-mongo-latest-trivy: + scan-traefik-trivy: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -365,19 +433,20 @@ jobs: continue-on-error: true uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: "mongo:latest" + image-ref: "traefik:v2.8.1" format: "github" template: "@/contrib/sarif.tpl" output: "mongo-trivy-results.sbom.json" severity: "CRITICAL,HIGH" timeout: "10m0s" - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 with: - sarif_file: "trivy-results.sarif" + name: mongo-trivy-results.sbom.json + path: mongo-trivy-results.sbom.json - scan-mongo-latest-snyk: + scan-traefik-snyk: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -403,7 +472,7 @@ jobs: - name: Snyk Container test continue-on-error: true shell: bash - run: snyk container test mongo:latest --sarif --sarif-file-output=snyk-code.sarif + run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From bfb1c7be2f9e00f420b0d00726c1f05d4f0080e6 Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Wed, 19 Jul 2023 11:15:53 +0000 Subject: [PATCH 3/9] fix cyclonedx command --- .github/workflows/container-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 41f70c93a2d..349b4d46106 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -326,10 +326,10 @@ jobs: #Generate SBOM - name: Generate SBOM run: | - pip install -U syft + pip install /packages/syft pip install cyclonedx-bom pip freeze > requirements.txt - cyclonedx-py -i requirements.txt --format json -o syft.bom.json + cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json #Trivy scan SBOM - name: Run Trivy vulnerability scanner From bafdd70773a5b7d36f9972dc8c2018c4c19cd4df Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Wed, 19 Jul 2023 11:27:54 +0000 Subject: [PATCH 4/9] hacking --- .github/workflows/container-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 349b4d46106..1818d57fdcd 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -326,7 +326,7 @@ jobs: #Generate SBOM - name: Generate SBOM run: | - pip install /packages/syft + pip install ./packages/syft pip install cyclonedx-bom pip freeze > requirements.txt cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json @@ -443,8 +443,8 @@ jobs: - name: Upload SBOM to GitHub Artifacts uses: actions/upload-artifact@v2 with: - name: mongo-trivy-results.sbom.json - path: mongo-trivy-results.sbom.json + name: traefik-trivy-results.sbom.json + path: traefik-trivy-results.sbom.json scan-traefik-snyk: permissions: From 95797445348cd260efe4e9c640960b8ae045cf06 Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Wed, 19 Jul 2023 12:12:26 +0000 Subject: [PATCH 5/9] hacking sbom --- .github/workflows/container-scan.yml | 260 +++++++++++++-------------- 1 file changed, 129 insertions(+), 131 deletions(-) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 1818d57fdcd..226cccb6bd2 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -326,23 +326,21 @@ jobs: #Generate SBOM - name: Generate SBOM run: | - pip install ./packages/syft - pip install cyclonedx-bom - pip freeze > requirements.txt - cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json + # pip install ./packages/syft + # pip install cyclonedx-bom + # pip freeze > requirements.txt + # cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json #Trivy scan SBOM - name: Run Trivy vulnerability scanner continue-on-error: true - uses: aquasecurity/trivy-action@master - with: - scan-type: "sbom" - scan-ref: "syft.bom.json" - format: "sarif" - template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" - severity: "CRITICAL,HIGH" - timeout: "10m0s" + run: | + sudo apt-get install wget apt-transport-https gnupg lsb-release + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - + echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy + trivy sbom syft.sbom.json --format template --template "@/contrib/sarif.tpl" --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s #Upload SBOM to GitHub Security tab - name: Upload SBOM to GitHub Security tab @@ -357,128 +355,128 @@ jobs: name: syft.bom.json path: syft.bom.json - scan-mongo-latest-trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 + # scan-mongo-latest-trivy: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 - - name: Run Trivy vulnerability scanner - continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: "mongo:latest" - format: "github" - template: "@/contrib/sarif.tpl" - output: "mongo-trivy-results.sbom.json" - severity: "CRITICAL,HIGH" - timeout: "10m0s" + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: "mongo:latest" + # format: "github" + # template: "@/contrib/sarif.tpl" + # output: "mongo-trivy-results.sbom.json" + # severity: "CRITICAL,HIGH" + # timeout: "10m0s" - - name: Upload SBOM to GitHub Artifacts - uses: actions/upload-artifact@v2 - with: - name: mongo-trivy-results.sbom.json - path: mongo-trivy-results.sbom.json + # - name: Upload SBOM to GitHub Artifacts + # uses: actions/upload-artifact@v2 + # with: + # name: mongo-trivy-results.sbom.json + # path: mongo-trivy-results.sbom.json - scan-mongo-latest-snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Snyk CLI to check for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk auth - shell: bash - run: snyk config set api=$SNYK_TOKEN - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk Container test - continue-on-error: true - shell: bash - run: snyk container test mongo:latest --sarif --sarif-file-output=snyk-code.sarif - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Push the Snyk Code results into GitHub Code Scanning tab - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-code.sarif + # scan-mongo-latest-snyk: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: Set up Snyk CLI to check for security issues + # # Snyk can be used to break the build when it detects security issues. + # # In this case we want to upload the SAST issues to GitHub Code Scanning + # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - scan-traefik-trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 + # - name: Snyk auth + # shell: bash + # run: snyk config set api=$SNYK_TOKEN + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Run Trivy vulnerability scanner - continue-on-error: true - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: "traefik:v2.8.1" - format: "github" - template: "@/contrib/sarif.tpl" - output: "mongo-trivy-results.sbom.json" - severity: "CRITICAL,HIGH" - timeout: "10m0s" + # - name: Snyk Container test + # continue-on-error: true + # shell: bash + # run: snyk container test mongo:latest --sarif --sarif-file-output=snyk-code.sarif + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Upload SBOM to GitHub Artifacts - uses: actions/upload-artifact@v2 - with: - name: traefik-trivy-results.sbom.json - path: traefik-trivy-results.sbom.json + # # Push the Snyk Code results into GitHub Code Scanning tab + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: snyk-code.sarif - scan-traefik-snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Snyk CLI to check for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk auth - shell: bash - run: snyk config set api=$SNYK_TOKEN - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk Container test - continue-on-error: true - shell: bash - run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Push the Snyk Code results into GitHub Code Scanning tab - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-code.sarif + # scan-traefik-trivy: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: "traefik:v2.8.1" + # format: "github" + # template: "@/contrib/sarif.tpl" + # output: "traefik-trivy-results.sbom.json" + # severity: "CRITICAL,HIGH" + # timeout: "10m0s" + + # - name: Upload SBOM to GitHub Artifacts + # uses: actions/upload-artifact@v2 + # with: + # name: traefik-trivy-results.sbom.json + # path: traefik-trivy-results.sbom.json + + # scan-traefik-snyk: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: Set up Snyk CLI to check for security issues + # # Snyk can be used to break the build when it detects security issues. + # # In this case we want to upload the SAST issues to GitHub Code Scanning + # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # - name: Snyk auth + # shell: bash + # run: snyk config set api=$SNYK_TOKEN + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # - name: Snyk Container test + # continue-on-error: true + # shell: bash + # run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Push the Snyk Code results into GitHub Code Scanning tab + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: snyk-code.sarif From d641c1d6b43c78ccd363df794623e8a4d36c25c4 Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Wed, 19 Jul 2023 12:16:21 +0000 Subject: [PATCH 6/9] hacking sbom --- .github/workflows/container-scan.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 226cccb6bd2..20ab014467a 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -326,10 +326,10 @@ jobs: #Generate SBOM - name: Generate SBOM run: | - # pip install ./packages/syft - # pip install cyclonedx-bom - # pip freeze > requirements.txt - # cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json + pip install ./packages/syft + pip install cyclonedx-bom + pip freeze > requirements.txt + cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json #Trivy scan SBOM - name: Run Trivy vulnerability scanner From 7e8b98d5f0bbeb02e7696e0cd8c9549816085768 Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Wed, 19 Jul 2023 12:37:54 +0000 Subject: [PATCH 7/9] pin mongo version , update new scan actions --- .github/workflows/container-scan.yml | 240 +++++++++++++-------------- 1 file changed, 120 insertions(+), 120 deletions(-) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 20ab014467a..6ea8bed9e48 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -352,131 +352,131 @@ jobs: - name: Upload SBOM to GitHub Artifacts uses: actions/upload-artifact@v2 with: - name: syft.bom.json - path: syft.bom.json + name: syft.sbom.json + path: syft.sbom.json - # scan-mongo-latest-trivy: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - # with: - # image-ref: "mongo:latest" - # format: "github" - # template: "@/contrib/sarif.tpl" - # output: "mongo-trivy-results.sbom.json" - # severity: "CRITICAL,HIGH" - # timeout: "10m0s" - - # - name: Upload SBOM to GitHub Artifacts - # uses: actions/upload-artifact@v2 - # with: - # name: mongo-trivy-results.sbom.json - # path: mongo-trivy-results.sbom.json - - # scan-mongo-latest-snyk: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: Set up Snyk CLI to check for security issues - # # Snyk can be used to break the build when it detects security issues. - # # In this case we want to upload the SAST issues to GitHub Code Scanning - # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk auth - # shell: bash - # run: snyk config set api=$SNYK_TOKEN - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk Container test - # continue-on-error: true - # shell: bash - # run: snyk container test mongo:latest --sarif --sarif-file-output=snyk-code.sarif - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Push the Snyk Code results into GitHub Code Scanning tab - # - name: Upload result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: snyk-code.sarif + scan-mongo-latest-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 - # scan-traefik-trivy: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "mongo:7.0-rc" + format: "github" + template: "@/contrib/sarif.tpl" + output: "mongo-trivy-results.sbom.json" + severity: "CRITICAL,HIGH" + timeout: "10m0s" - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - # with: - # image-ref: "traefik:v2.8.1" - # format: "github" - # template: "@/contrib/sarif.tpl" - # output: "traefik-trivy-results.sbom.json" - # severity: "CRITICAL,HIGH" - # timeout: "10m0s" + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 + with: + name: mongo-trivy-results.sbom.json + path: mongo-trivy-results.sbom.json - # - name: Upload SBOM to GitHub Artifacts - # uses: actions/upload-artifact@v2 - # with: - # name: traefik-trivy-results.sbom.json - # path: traefik-trivy-results.sbom.json + scan-mongo-latest-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test mongo:7.0-rc --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif - # scan-traefik-snyk: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: Set up Snyk CLI to check for security issues - # # Snyk can be used to break the build when it detects security issues. - # # In this case we want to upload the SAST issues to GitHub Code Scanning - # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + scan-traefik-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 - # - name: Snyk auth - # shell: bash - # run: snyk config set api=$SNYK_TOKEN - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "traefik:v2.8.1" + format: "github" + template: "@/contrib/sarif.tpl" + output: "traefik-trivy-results.sbom.json" + severity: "CRITICAL,HIGH" + timeout: "10m0s" - # - name: Snyk Container test - # continue-on-error: true - # shell: bash - # run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 + with: + name: traefik-trivy-results.sbom.json + path: traefik-trivy-results.sbom.json - # # Push the Snyk Code results into GitHub Code Scanning tab - # - name: Upload result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: snyk-code.sarif + scan-traefik-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif From e2fcb41ccd52f6d571b09f298ff3bcff29f8a016 Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Wed, 19 Jul 2023 13:18:45 +0000 Subject: [PATCH 8/9] testing gh action on sbom scanning --- .github/workflows/container-scan.yml | 261 ++++++++++++++------------- 1 file changed, 136 insertions(+), 125 deletions(-) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 6ea8bed9e48..1f9e207ee20 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -332,15 +332,26 @@ jobs: cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json #Trivy scan SBOM + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # run: | + # sudo apt-get install wget apt-transport-https gnupg lsb-release + # wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - + # echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list + # sudo apt-get update + # sudo apt-get install trivy + # trivy sbom syft.sbom.json --format sarif --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s + #Trivy scan SBOM - name: Run Trivy vulnerability scanner continue-on-error: true - run: | - sudo apt-get install wget apt-transport-https gnupg lsb-release - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update - sudo apt-get install trivy - trivy sbom syft.sbom.json --format template --template "@/contrib/sarif.tpl" --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s + uses: aquasecurity/trivy-action@master + with: + scan-type: "sbom" + input: "syft.sbom.json" + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + timeout: "10m0s" #Upload SBOM to GitHub Security tab - name: Upload SBOM to GitHub Security tab @@ -355,128 +366,128 @@ jobs: name: syft.sbom.json path: syft.sbom.json - scan-mongo-latest-trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 + # scan-mongo-latest-trivy: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 - - name: Run Trivy vulnerability scanner - continue-on-error: true - uses: aquasecurity/trivy-action@master - with: - image-ref: "mongo:7.0-rc" - format: "github" - template: "@/contrib/sarif.tpl" - output: "mongo-trivy-results.sbom.json" - severity: "CRITICAL,HIGH" - timeout: "10m0s" + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: "mongo:7.0-rc" + # format: "github" + # template: "@/contrib/sarif.tpl" + # output: "mongo-trivy-results.sbom.json" + # severity: "CRITICAL,HIGH" + # timeout: "10m0s" - - name: Upload SBOM to GitHub Artifacts - uses: actions/upload-artifact@v2 - with: - name: mongo-trivy-results.sbom.json - path: mongo-trivy-results.sbom.json + # - name: Upload SBOM to GitHub Artifacts + # uses: actions/upload-artifact@v2 + # with: + # name: mongo-trivy-results.sbom.json + # path: mongo-trivy-results.sbom.json - scan-mongo-latest-snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Snyk CLI to check for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@master - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk auth - shell: bash - run: snyk config set api=$SNYK_TOKEN - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk Container test - continue-on-error: true - shell: bash - run: snyk container test mongo:7.0-rc --sarif --sarif-file-output=snyk-code.sarif - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Push the Snyk Code results into GitHub Code Scanning tab - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-code.sarif + # scan-mongo-latest-snyk: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: Set up Snyk CLI to check for security issues + # # Snyk can be used to break the build when it detects security issues. + # # In this case we want to upload the SAST issues to GitHub Code Scanning + # uses: snyk/actions/setup@master + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - scan-traefik-trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 + # - name: Snyk auth + # shell: bash + # run: snyk config set api=$SNYK_TOKEN + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Run Trivy vulnerability scanner - continue-on-error: true - uses: aquasecurity/trivy-action@master - with: - image-ref: "traefik:v2.8.1" - format: "github" - template: "@/contrib/sarif.tpl" - output: "traefik-trivy-results.sbom.json" - severity: "CRITICAL,HIGH" - timeout: "10m0s" + # - name: Snyk Container test + # continue-on-error: true + # shell: bash + # run: snyk container test mongo:7.0-rc --sarif --sarif-file-output=snyk-code.sarif + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Upload SBOM to GitHub Artifacts - uses: actions/upload-artifact@v2 - with: - name: traefik-trivy-results.sbom.json - path: traefik-trivy-results.sbom.json + # # Push the Snyk Code results into GitHub Code Scanning tab + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: snyk-code.sarif - scan-traefik-snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Snyk CLI to check for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@master - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk auth - shell: bash - run: snyk config set api=$SNYK_TOKEN - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - name: Snyk Container test - continue-on-error: true - shell: bash - run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif - env: - # This is where you will need to introduce the Snyk API token created with your Snyk account - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Push the Snyk Code results into GitHub Code Scanning tab - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-code.sarif + # scan-traefik-trivy: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + + # - name: Run Trivy vulnerability scanner + # continue-on-error: true + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: "traefik:v2.8.1" + # format: "github" + # template: "@/contrib/sarif.tpl" + # output: "traefik-trivy-results.sbom.json" + # severity: "CRITICAL,HIGH" + # timeout: "10m0s" + + # - name: Upload SBOM to GitHub Artifacts + # uses: actions/upload-artifact@v2 + # with: + # name: traefik-trivy-results.sbom.json + # path: traefik-trivy-results.sbom.json + + # scan-traefik-snyk: + # permissions: + # contents: read # for actions/checkout to fetch code + # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: Set up Snyk CLI to check for security issues + # # Snyk can be used to break the build when it detects security issues. + # # In this case we want to upload the SAST issues to GitHub Code Scanning + # uses: snyk/actions/setup@master + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # - name: Snyk auth + # shell: bash + # run: snyk config set api=$SNYK_TOKEN + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # - name: Snyk Container test + # continue-on-error: true + # shell: bash + # run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif + # env: + # # This is where you will need to introduce the Snyk API token created with your Snyk account + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # # Push the Snyk Code results into GitHub Code Scanning tab + # - name: Upload result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: snyk-code.sarif From 97205b6a5a99869e20d75e197ea7fa145ac0d53d Mon Sep 17 00:00:00 2001 From: bitsofsteve Date: Wed, 19 Jul 2023 15:52:50 +0000 Subject: [PATCH 9/9] clean up and updated trivy and snyk actions --- .github/workflows/container-scan.yml | 871 +++++++++++++-------------- 1 file changed, 428 insertions(+), 443 deletions(-) diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 1f9e207ee20..ef20db08012 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -3,14 +3,10 @@ name: Container Scan on: workflow_call: - pull_request: + push: branches: - dev - - # push: - # branches: - # - dev - # - main + - main workflow_dispatch: inputs: @@ -19,300 +15,300 @@ on: required: false jobs: - # scan-backend-trivy: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - - # # Build the docker image for testing - # - name: Build a Docker image - # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache - # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - # with: - # image-ref: "backend:${{ github.sha }}" - # format: "template" - # template: "@/contrib/sarif.tpl" - # output: "trivy-results.sarif" - # severity: "CRITICAL,HIGH" - # timeout: "10m0s" - - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: "trivy-results.sarif" - - # scan-backend-snyk: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: Set up Snyk CLI to check for security issues - # # Snyk can be used to break the build when it detects security issues. - # # In this case we want to upload the SAST issues to GitHub Code Scanning - # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Build the docker image for testing - # - name: Build a Docker image - # shell: bash - # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache - # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - # - name: Snyk auth - # shell: bash - # run: snyk config set api=$SNYK_TOKEN - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk Container test - # continue-on-error: true - # shell: bash - # run: snyk container test backend:${{ github.sha }} --file=packages/grid/backend/backend.dockerfile --sarif --sarif-file-output=snyk-code.sarif - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Push the Snyk Code results into GitHub Code Scanning tab - # - name: Upload result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: snyk-code.sarif - - # scan-frontend-trivy: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - - # # Build the docker image for testing - # - name: Build a Docker image - # shell: bash - # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache - # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - # with: - # image-ref: "frontend:${{ github.sha }}" - # format: "template" - # template: "@/contrib/sarif.tpl" - # output: "trivy-results.sarif" - # severity: "CRITICAL,HIGH" - # timeout: "10m0s" - - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: "trivy-results.sarif" - - # scan-frontend-snyk: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: Set up Snyk CLI to check for security issues - # # Snyk can be used to break the build when it detects security issues. - # # In this case we want to upload the SAST issues to GitHub Code Scanning - # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Build the docker image for testing - # - name: Build a Docker image - # shell: bash - # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache - # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - # - name: Snyk auth - # shell: bash - # run: snyk config set api=$SNYK_TOKEN - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk Container test - # continue-on-error: true - # shell: bash - # run: snyk container test frontend:${{ github.sha }} --file=packages/grid/frontend/frontend.dockerfile --sarif --sarif-file-output=snyk-code.sarif - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Push the Snyk Code results into GitHub Code Scanning tab - # - name: Upload result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: snyk-code.sarif - - # scan-tailscale-trivy: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - - # # Build the docker image for testing - # - name: Build a Docker image - # shell: bash - # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache - # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - # with: - # image-ref: "tailscale:${{ github.sha }}" - # format: "template" - # template: "@/contrib/sarif.tpl" - # output: "trivy-results.sarif" - # severity: "CRITICAL,HIGH" - # timeout: "10m0s" - - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: "trivy-results.sarif" - - # scan-tailscale-snyk: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: Set up Snyk CLI to check for security issues - # # Snyk can be used to break the build when it detects security issues. - # # In this case we want to upload the SAST issues to GitHub Code Scanning - # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Build the docker image for testing - # - name: Build a Docker image - # shell: bash - # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache - # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - # - name: Snyk auth - # shell: bash - # run: snyk config set api=$SNYK_TOKEN - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk Container test - # continue-on-error: true - # shell: bash - # run: snyk container test tailscale:${{ github.sha }} --file=packages/grid/vpn/tailscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Push the Snyk Code results into GitHub Code Scanning tab - # - name: Upload result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: snyk-code.sarif - - # scan-headscale-trivy: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - - # # Build the docker image for testing - # - name: Build a Docker image - # shell: bash - # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache - # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - # with: - # image-ref: "headscale:${{ github.sha }}" - # format: "template" - # template: "@/contrib/sarif.tpl" - # output: "trivy-results.sarif" - # severity: "CRITICAL,HIGH" - # timeout: "10m0s" - - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: "trivy-results.sarif" - - # scan-headscale-snyk: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: Set up Snyk CLI to check for security issues - # # Snyk can be used to break the build when it detects security issues. - # # In this case we want to upload the SAST issues to GitHub Code Scanning - # uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Build the docker image for testing - # - name: Build a Docker image - # shell: bash - # run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache - # # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - # - name: Snyk auth - # shell: bash - # run: snyk config set api=$SNYK_TOKEN - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk Container test - # continue-on-error: true - # shell: bash - # run: snyk container test headscale:${{ github.sha }} --file=packages/grid/vpn/headscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Push the Snyk Code results into GitHub Code Scanning tab - # - name: Upload result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: snyk-code.sarif + scan-backend-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + # Build the docker image for testing + - name: Build a Docker image + run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "backend:${{ github.sha }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + + scan-backend-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Build the docker image for testing + - name: Build a Docker image + shell: bash + run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test backend:${{ github.sha }} --file=packages/grid/backend/backend.dockerfile --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif + + scan-frontend-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + # Build the docker image for testing + - name: Build a Docker image + shell: bash + run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "frontend:${{ github.sha }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + + scan-frontend-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Build the docker image for testing + - name: Build a Docker image + shell: bash + run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test frontend:${{ github.sha }} --file=packages/grid/frontend/frontend.dockerfile --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif + + scan-tailscale-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + # Build the docker image for testing + - name: Build a Docker image + shell: bash + run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "tailscale:${{ github.sha }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + + scan-tailscale-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Build the docker image for testing + - name: Build a Docker image + shell: bash + run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/tailscale.dockerfile packages/grid/vpn -t tailscale:${{ github.sha }} --no-cache + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test tailscale:${{ github.sha }} --file=packages/grid/vpn/tailscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif + + scan-headscale-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + # Build the docker image for testing + - name: Build a Docker image + shell: bash + run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "headscale:${{ github.sha }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + + scan-headscale-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Build the docker image for testing + - name: Build a Docker image + shell: bash + run: DOCKER_BUILDKIT=1 docker build -f packages/grid/vpn/headscale.dockerfile packages/grid/vpn -t headscale:${{ github.sha }} --no-cache + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test headscale:${{ github.sha }} --file=packages/grid/vpn/headscale.dockerfile --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif scan-syft-requirements: permissions: @@ -332,26 +328,15 @@ jobs: cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json #Trivy scan SBOM - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # run: | - # sudo apt-get install wget apt-transport-https gnupg lsb-release - # wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - - # echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list - # sudo apt-get update - # sudo apt-get install trivy - # trivy sbom syft.sbom.json --format sarif --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s - #Trivy scan SBOM - name: Run Trivy vulnerability scanner continue-on-error: true - uses: aquasecurity/trivy-action@master - with: - scan-type: "sbom" - input: "syft.sbom.json" - format: "sarif" - output: "trivy-results.sarif" - severity: "CRITICAL,HIGH" - timeout: "10m0s" + run: | + sudo apt-get install wget apt-transport-https gnupg lsb-release + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - + echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy + trivy sbom syft.sbom.json --format sarif --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s #Upload SBOM to GitHub Security tab - name: Upload SBOM to GitHub Security tab @@ -366,128 +351,128 @@ jobs: name: syft.sbom.json path: syft.sbom.json - # scan-mongo-latest-trivy: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: "mongo:7.0-rc" - # format: "github" - # template: "@/contrib/sarif.tpl" - # output: "mongo-trivy-results.sbom.json" - # severity: "CRITICAL,HIGH" - # timeout: "10m0s" - - # - name: Upload SBOM to GitHub Artifacts - # uses: actions/upload-artifact@v2 - # with: - # name: mongo-trivy-results.sbom.json - # path: mongo-trivy-results.sbom.json - - # scan-mongo-latest-snyk: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: Set up Snyk CLI to check for security issues - # # Snyk can be used to break the build when it detects security issues. - # # In this case we want to upload the SAST issues to GitHub Code Scanning - # uses: snyk/actions/setup@master - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk auth - # shell: bash - # run: snyk config set api=$SNYK_TOKEN - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk Container test - # continue-on-error: true - # shell: bash - # run: snyk container test mongo:7.0-rc --sarif --sarif-file-output=snyk-code.sarif - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Push the Snyk Code results into GitHub Code Scanning tab - # - name: Upload result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: snyk-code.sarif - - # scan-traefik-trivy: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - - # - name: Run Trivy vulnerability scanner - # continue-on-error: true - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: "traefik:v2.8.1" - # format: "github" - # template: "@/contrib/sarif.tpl" - # output: "traefik-trivy-results.sbom.json" - # severity: "CRITICAL,HIGH" - # timeout: "10m0s" - - # - name: Upload SBOM to GitHub Artifacts - # uses: actions/upload-artifact@v2 - # with: - # name: traefik-trivy-results.sbom.json - # path: traefik-trivy-results.sbom.json - - # scan-traefik-snyk: - # permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: Set up Snyk CLI to check for security issues - # # Snyk can be used to break the build when it detects security issues. - # # In this case we want to upload the SAST issues to GitHub Code Scanning - # uses: snyk/actions/setup@master - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk auth - # shell: bash - # run: snyk config set api=$SNYK_TOKEN - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # - name: Snyk Container test - # continue-on-error: true - # shell: bash - # run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif - # env: - # # This is where you will need to introduce the Snyk API token created with your Snyk account - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # # Push the Snyk Code results into GitHub Code Scanning tab - # - name: Upload result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: snyk-code.sarif + scan-mongo-latest-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "mongo:7.0-rc" + format: "github" + template: "@/contrib/sarif.tpl" + output: "mongo-trivy-results.sbom.json" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 + with: + name: mongo-trivy-results.sbom.json + path: mongo-trivy-results.sbom.json + + scan-mongo-latest-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test mongo:7.0-rc --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif + + scan-traefik-trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + continue-on-error: true + uses: aquasecurity/trivy-action@master + with: + image-ref: "traefik:v2.8.1" + format: "github" + template: "@/contrib/sarif.tpl" + output: "traefik-trivy-results.sbom.json" + severity: "CRITICAL,HIGH" + timeout: "10m0s" + + - name: Upload SBOM to GitHub Artifacts + uses: actions/upload-artifact@v2 + with: + name: traefik-trivy-results.sbom.json + path: traefik-trivy-results.sbom.json + + scan-traefik-snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@master + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk auth + shell: bash + run: snyk config set api=$SNYK_TOKEN + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Container test + continue-on-error: true + shell: bash + run: snyk container test traefik:v2.8.1 --sarif --sarif-file-output=snyk-code.sarif + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif