diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 18cefdb..88e116d 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,6 +10,11 @@ on: branches: - "master" +permissions: + contents: read + packages: write + security-events: write + jobs: build-docker: runs-on: ubuntu-latest @@ -60,6 +65,31 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} + - name: Build image for scanning + uses: docker/build-push-action@v7 + with: + context: . + file: docker/Dockerfile + platforms: linux/amd64 + push: false + load: true + tags: drone-telegram:scan + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: "drone-telegram:scan" + format: "sarif" + output: "trivy-image-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: "trivy-image-results.sarif" + category: "trivy-docker-image" + - name: Build and push uses: docker/build-push-action@v7 with: diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..f7265d9 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,85 @@ +name: Trivy Security Scan + +on: + push: + branches: + - master + pull_request: + branches: + - master + schedule: + # Run daily at 00:00 UTC + - cron: "0 0 * * *" + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + trivy-repo-scan: + name: Trivy Repository Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Run Trivy vulnerability scanner (repo) + uses: aquasecurity/trivy-action@v0.35.0 + with: + scan-type: "fs" + scan-ref: "." + format: "sarif" + output: "trivy-repo-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: "trivy-repo-results.sarif" + + trivy-image-scan: + name: Trivy Image Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Setup go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + check-latest: true + + - name: Build binary + run: | + make build_linux_amd64 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + + - name: Build Docker image for scanning + uses: docker/build-push-action@v7 + with: + context: . + file: docker/Dockerfile + platforms: linux/amd64 + push: false + load: true + tags: drone-telegram:scan + + - name: Run Trivy vulnerability scanner (image) + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: "drone-telegram:scan" + format: "sarif" + output: "trivy-image-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy image scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: "trivy-image-results.sarif" + category: "trivy-image" diff --git a/README.md b/README.md index a1a7bbf..083e326 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ ![logo](./images/logo.png) [![GoDoc](https://godoc.org/github.com/appleboy/drone-telegram?status.svg)](https://godoc.org/github.com/appleboy/drone-telegram) +[![Trivy Security Scan](https://github.com/appleboy/drone-telegram/actions/workflows/trivy.yml/badge.svg?branch=master)](https://github.com/appleboy/drone-telegram/actions/workflows/trivy.yml) [![codecov](https://codecov.io/gh/appleboy/drone-telegram/branch/master/graph/badge.svg)](https://codecov.io/gh/appleboy/drone-telegram) [![Go Report Card](https://goreportcard.com/badge/github.com/appleboy/drone-telegram)](https://goreportcard.com/report/github.com/appleboy/drone-telegram)