Skip to content

Container Scan

Container Scan #39

name: Container Scan
on:
workflow_call:
workflow_dispatch:
inputs:
none:
description: "Run Tests Manually"
required: false
jobs:
scan-backend-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# free 10GB of space
- name: Remove unnecessary files
if: matrix.os == 'ubuntu-latest'
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
docker image prune --all --force
docker builder prune --all --force
docker system prune --all --force
# Build the docker image for testing
- name: Build a Docker image
run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache
# Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "backend:${{ github.sha }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
scan-backend-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# free 10GB of space
- name: Remove unnecessary files
if: matrix.os == 'ubuntu-latest'
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
docker image prune --all --force
docker builder prune --all --force
docker system prune --all --force
# Build the docker image for testing
- name: Build a Docker image
shell: bash
run: DOCKER_BUILDKIT=1 docker build -f packages/grid/backend/backend.dockerfile packages -t backend:${{ github.sha }} --no-cache
# Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test backend:${{ github.sha }} --file=packages/grid/backend/backend.dockerfile --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif
scan-frontend-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Build the docker image for testing
- name: Build a Docker image
shell: bash
run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache
# Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "frontend:${{ github.sha }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
scan-frontend-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Build the docker image for testing
- name: Build a Docker image
shell: bash
run: DOCKER_BUILDKIT=1 docker build -f packages/grid/frontend/frontend.dockerfile packages/grid/frontend -t frontend:${{ github.sha }} --no-cache
# Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test frontend:${{ github.sha }} --file=packages/grid/frontend/frontend.dockerfile --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif
scan-syft-requirements:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v3
with:
python-version: "3.11"
#Generate SBOM
- name: Generate SBOM
run: |
python3 --version
python3 -m pip install ./packages/syft
python3 -m pip install cyclonedx-bom
python3 -m pip freeze > requirements.txt
cyclonedx-py --r -i requirements.txt --format json -o syft.sbom.json
#Trivy scan SBOM
- name: Run Trivy vulnerability scanner
continue-on-error: true
run: |
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
trivy sbom syft.sbom.json --format sarif --output trivy-results.sarif --severity CRITICAL,HIGH --timeout 10m0s
#Upload SBOM to GitHub Security tab
- name: Upload SBOM to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
#upload SBOM to github artifacts
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: syft.sbom.json
path: syft.sbom.json
scan-mongo-latest-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
#Generate SBOM
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "mongo:7.0.0"
format: "cyclonedx"
output: "mongo-trivy-results.sbom.json"
timeout: "10m0s"
#Upload SBOM to GitHub Artifacts
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: mongo-trivy-results.sbom.json
path: mongo-trivy-results.sbom.json
#Generate sarif file
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "mongo:7.0.0"
format: "sarif"
output: "trivy-results.sarif"
timeout: "10m0s"
#Upload sarif file to GitHub Security tab
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
scan-mongo-latest-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test mongo:7.0.0 --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif
scan-traefik-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
#Generate SBOM
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "traefik:v2.10"
format: "cyclonedx"
output: "traefik-trivy-results.sbom.json"
timeout: "10m0s"
#Upload SBOM to GitHub Artifacts
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: traefik-trivy-results.sbom.json
path: traefik-trivy-results.sbom.json
#Generate sarif file
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "traefik:v2.10"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
timeout: "10m0s"
#Upload sarif file to GitHub Security tab
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
scan-traefik-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test traefik:v2.10 --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif
scan-seaweedfs-trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
#Generate SBOM
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "chrislusf/seaweedfs:3.55"
format: "cyclonedx"
output: "seaweedfs-trivy-results.sbom.json"
timeout: "10m0s"
#Upload SBOM to GitHub Artifacts
- name: Upload SBOM to GitHub Artifacts
uses: actions/upload-artifact@v2
with:
name: seaweedfs-trivy-results.sbom.json
path: seaweedfs-trivy-results.sbom.json
#Generate sarif file
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: "chrislusf/seaweedfs:3.55"
format: "sarif"
output: "trivy-results.sarif"
timeout: "10m0s"
#Upload sarif file to GitHub Security tab
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
scan-seaweedfs-snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@master
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk auth
shell: bash
run: snyk config set api=$SNYK_TOKEN
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk Container test
continue-on-error: true
shell: bash
run: snyk container test seaweedfs:3.55 --sarif --sarif-file-output=snyk-code.sarif
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif