-
Notifications
You must be signed in to change notification settings - Fork 41
109 lines (100 loc) · 3.86 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Scheduled Trivy Scan
on:
workflow_dispatch:
schedule:
- cron: '0 10 * * 1'
jobs:
trivy:
if: ${{ github.repository_owner == 'nrkno' }}
name: Trivy scan
runs-on: ubuntu-latest
strategy:
matrix:
image: ["server-core", "playout-gateway", "mos-gateway"]
timeout-minutes: 15
steps:
- name: Run Trivy vulnerability scanner (json)
uses: aquasecurity/trivy-action@0.28.0
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
format: json
output: '${{ matrix.image }}-trivy-scan-results.json'
- name: Run Trivy vulnerability scanner (table)
uses: aquasecurity/trivy-action@0.28.0
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
output: '${{ matrix.image }}-trivy-scan-results.txt'
- name: Post all scan results to Github Summary as a table
env:
CODE_BLOCK: "```"
run: |
echo "# Trivy scan results ~ sofie-core-${{ matrix.image}}:latest" >> $GITHUB_STEP_SUMMARY
echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY
cat ${{ matrix.image }}-trivy-scan-results.txt >> $GITHUB_STEP_SUMMARY
echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.28.0
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
with:
format: 'github'
output: 'dependency-results-${{ matrix.image }}.sbom.json'
image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Create summary of Trivy issues
run: |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' ${{ matrix.image }}-trivy-scan-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
if [ -z "$summary" ]
then
summary="0 Issues"
fi
echo "SUMMARY=$summary" >> $GITHUB_ENV
echo ${{ env.SUMMARY }}
- name: Send Slack Notification
uses: slackapi/slack-github-action@v1.27.0
with:
payload: |
{
"text": "Trivy scan results",
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "Trivy scan results for sofie-core-${{ matrix.image }}:latest"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":thisisfine: ${{ env.SUMMARY }}"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Read the full scan results on Github"
},
"accessory": {
"type": "button",
"text": {
"type": "plain_text",
"text": ":github: Scan results",
"emoji": true
},
"value": "workflow_run",
"url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
"action_id": "button-action"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK