mirror of
https://github.com/appleboy/drone-jenkins.git
synced 2026-06-04 18:23:57 +08:00
ci: standardize Trivy security scanning workflows
- Add Trivy image scan job to trivy.yml alongside existing repo scan - Add Trivy image scan step in docker.yml before pushing Docker image - Add security-events permission for SARIF upload
This commit is contained in:
Bo-Yi Wu
@@ -10,6 +10,11 @@ on:
|
|||||||
branches:
|
branches:
|
||||||
- "master"
|
- "master"
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
packages: write
|
||||||
|
security-events: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build-docker:
|
build-docker:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
@@ -53,6 +58,31 @@ jobs:
|
|||||||
type=semver,pattern={{major}}.{{minor}}
|
type=semver,pattern={{major}}.{{minor}}
|
||||||
type=semver,pattern={{major}}
|
type=semver,pattern={{major}}
|
||||||
|
|
||||||
|
- name: Build image for scanning
|
||||||
|
uses: docker/build-push-action@v7
|
||||||
|
with:
|
||||||
|
context: .
|
||||||
|
file: docker/Dockerfile
|
||||||
|
platforms: linux/amd64
|
||||||
|
push: false
|
||||||
|
load: true
|
||||||
|
tags: drone-jenkins:scan
|
||||||
|
|
||||||
|
- name: Run Trivy vulnerability scanner
|
||||||
|
uses: aquasecurity/trivy-action@v0.35.0
|
||||||
|
with:
|
||||||
|
image-ref: "drone-jenkins:scan"
|
||||||
|
format: "sarif"
|
||||||
|
output: "trivy-image-results.sarif"
|
||||||
|
severity: "CRITICAL,HIGH"
|
||||||
|
|
||||||
|
- name: Upload Trivy scan results to GitHub Security tab
|
||||||
|
uses: github/codeql-action/upload-sarif@v4
|
||||||
|
if: always()
|
||||||
|
with:
|
||||||
|
sarif_file: "trivy-image-results.sarif"
|
||||||
|
category: "trivy-docker-image"
|
||||||
|
|
||||||
- name: Build and push
|
- name: Build and push
|
||||||
uses: docker/build-push-action@v7
|
uses: docker/build-push-action@v7
|
||||||
with:
|
with:
|
||||||
|
|||||||
+51
-22
@@ -10,47 +10,76 @@ on:
|
|||||||
schedule:
|
schedule:
|
||||||
# Run daily at 00:00 UTC
|
# Run daily at 00:00 UTC
|
||||||
- cron: "0 0 * * *"
|
- cron: "0 0 * * *"
|
||||||
workflow_dispatch: # Allow manual trigger
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
security-events: write # Required for uploading SARIF results
|
security-events: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
trivy-scan:
|
trivy-repo-scan:
|
||||||
name: Trivy Security Scan
|
name: Trivy Repository Scan
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v6
|
||||||
with:
|
|
||||||
fetch-depth: 0
|
|
||||||
|
|
||||||
- name: Run Trivy vulnerability scanner (source code)
|
- name: Run Trivy vulnerability scanner (repo)
|
||||||
uses: aquasecurity/trivy-action@v0.35.0
|
uses: aquasecurity/trivy-action@v0.35.0
|
||||||
with:
|
with:
|
||||||
scan-type: "fs"
|
scan-type: "fs"
|
||||||
scan-ref: "."
|
scan-ref: "."
|
||||||
scanners: "vuln,secret,misconfig"
|
|
||||||
format: "sarif"
|
format: "sarif"
|
||||||
output: "trivy-results.sarif"
|
output: "trivy-repo-results.sarif"
|
||||||
severity: "CRITICAL,HIGH,MEDIUM"
|
severity: "CRITICAL,HIGH"
|
||||||
ignore-unfixed: true
|
|
||||||
|
|
||||||
- name: Upload Trivy results to GitHub Security tab
|
- name: Upload Trivy scan results to GitHub Security tab
|
||||||
uses: github/codeql-action/upload-sarif@v4
|
uses: github/codeql-action/upload-sarif@v4
|
||||||
if: always()
|
if: always()
|
||||||
with:
|
with:
|
||||||
sarif_file: "trivy-results.sarif"
|
sarif_file: "trivy-repo-results.sarif"
|
||||||
|
|
||||||
- name: Run Trivy scanner (table output for logs)
|
trivy-image-scan:
|
||||||
|
name: Trivy Image Scan
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
uses: actions/checkout@v6
|
||||||
|
|
||||||
|
- name: Setup go
|
||||||
|
uses: actions/setup-go@v6
|
||||||
|
with:
|
||||||
|
go-version-file: go.mod
|
||||||
|
check-latest: true
|
||||||
|
|
||||||
|
- name: Build binary
|
||||||
|
run: |
|
||||||
|
make build_linux_amd64
|
||||||
|
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v4
|
||||||
|
|
||||||
|
- name: Build Docker image for scanning
|
||||||
|
uses: docker/build-push-action@v7
|
||||||
|
with:
|
||||||
|
context: .
|
||||||
|
file: docker/Dockerfile
|
||||||
|
platforms: linux/amd64
|
||||||
|
push: false
|
||||||
|
load: true
|
||||||
|
tags: drone-jenkins:scan
|
||||||
|
|
||||||
|
- name: Run Trivy vulnerability scanner (image)
|
||||||
uses: aquasecurity/trivy-action@v0.35.0
|
uses: aquasecurity/trivy-action@v0.35.0
|
||||||
|
with:
|
||||||
|
image-ref: "drone-jenkins:scan"
|
||||||
|
format: "sarif"
|
||||||
|
output: "trivy-image-results.sarif"
|
||||||
|
severity: "CRITICAL,HIGH"
|
||||||
|
|
||||||
|
- name: Upload Trivy image scan results to GitHub Security tab
|
||||||
|
uses: github/codeql-action/upload-sarif@v4
|
||||||
if: always()
|
if: always()
|
||||||
with:
|
with:
|
||||||
scan-type: "fs"
|
sarif_file: "trivy-image-results.sarif"
|
||||||
scan-ref: "."
|
category: "trivy-image"
|
||||||
scanners: "vuln,secret,misconfig"
|
|
||||||
format: "table"
|
|
||||||
severity: "CRITICAL,HIGH,MEDIUM"
|
|
||||||
ignore-unfixed: true
|
|
||||||
exit-code: "1"
|
|
||||||
|
|||||||
Reference in New Issue
Block a user