update

Author: jesus-linares

.github/workflows/trivy.yaml

@@ -12,16 +12,72 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Build Docker Image 1 (Vulnerable - Ubuntu)
+        run: |
+          docker build -t vulnerable-image-ubuntu -f Dockerfile1 .
   
-      - name: Run Trivy vulnerability scanner in fs mode
+      - name: Build Docker Image 3 (Non-vulnerable)
+        run: |
+          docker build -t non-vulnerable-image -f Dockerfile3 .
+
+      - name: "Run Trivy vulnerability scanner: image"
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'vulnerable-image-ubuntu'
+          scan-type: 'image'
+          vuln-type: 'os'
+          format: 'sarif'
+          output: 'trivy-results-image1.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-image1.sarif'
+          category: 'image'
+
+      - name: "Run Trivy vulnerability scanner: image"
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'non-vulnerable-image'
+          scan-type: 'image'
+          vuln-type: 'os'
+          format: 'sarif'
+          output: 'trivy-results-image2.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-image2.sarif'
+          category: 'image'
+
+      - name: "Run Trivy vulnerability scanner: image"
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'vulnerable-image-ubuntu'
+          scan-type: 'image'
+          scanners: 'vuln,secret'
+          vuln-type: 'os'
+          format: 'sarif'
+          output: 'trivy-results-image1.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-image1.sarif'
+          category: 'image'
+
+      - name: "Run Trivy vulnerability scanner: image"
         uses: aquasecurity/[email protected]
         with:
-          scan-type: 'fs'
-          scan-ref: '.'
+          image-ref: 'non-vulnerable-image'
+          scan-type: 'image'
+          scanners: 'vuln,secret'
+          vuln-type: 'os'
           format: 'sarif'
-          output: 'trivy-results.sarif'
+          output: 'trivy-results-image2.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results-image2.sarif'
+          category: 'image'

Dockerfile1

@@ -0,0 +1,13 @@
+# Dockerfile 1 (Vulnerable)
+FROM ubuntu:18.04
+
+RUN apt-get update && \
+    apt-get install -y \
+    openssl \
+    curl
+
+# Deliberately using an old version of OpenSSL with known vulnerabilities
+RUN apt-get install -y openssl=1.1.0g-2ubuntu4.3
+
+# Adding a fake AWS secret key
+RUN echo "AWS_SECRET_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" > /root/.aws/credentials

Dockerfile3

@@ -0,0 +1,10 @@
+# Dockerfile 3 (Non-vulnerable)
+FROM ubuntu:20.04
+
+RUN apt-get update && \
+    apt-get install -y \
+    openssl \
+    curl
+
+# Using the latest versions with no known vulnerabilities
+RUN apt-get install -y openssl