Trang chủ Khám phá Trợ giúp
Đăng nhập
akillibulut
/
cost-model
mirror of https://github.com/kubecost/cost-model
2
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Tree: 8ed41dd693
Branches Tags
cost-model
/
.github
/
workflows
/
vulnerability-scan.yaml

vulnerability-scan.yaml 2.5 KB
Lịch sử Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. name: Trivy Vulnerability Scanner
    2. 

  2. 

  3. permissions:
    4. 

  4.   issues: write
    5. 

  5.   contents: read
    6. 

  6.   security-events: write
    7. 

  7. 

  8. on:
    9. 

  9.   pull_request:
    10. 

  10.     branches:
    11. 

  11.       - develop
    12. 

  12.   push:
    13. 

  13.     branches:
    14. 

  14.       - develop
    15. 

  15.   merge_group:
    16. 

  16.     types: [checks_requested]
    17. 

  17. 

  18. jobs:
    19. 

  19.   scan:
    20. 

  20.     name: Scan for Vulnerabilities
    21. 

  21.     runs-on: ubuntu-latest
    22. 

  22.     steps:
    23. 

  23.       - name: Checkout code
    24. 

  24.         uses: actions/checkout@v6.0.2
    25. 

  25. 

  26.       - name: Install Trivy
    27. 

  27.         run: |
    28. 

  28.           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
    29. 

  29. 

  30.       - name: Run Trivy scan
    31. 

  31.         id: trivy-scan
    32. 

  32.         continue-on-error: true
    33. 

  33.         run: |
    34. 

  34.           # Generate SARIF report first
    35. 

  35.           trivy fs \
    36. 

  36.             --format template \
    37. 

  37.             --template '@/contrib/sarif.tpl' \
    38. 

  38.             --output trivy-results.sarif \
    39. 

  39.             --severity CRITICAL,HIGH \
    40. 

  40.             --vuln-type os,library \
    41. 

  41.             --no-progress .
    42. 

  42. 

  43.           # Generate JSON report and fail step if vulnerabilities are found
    44. 

  44.           trivy fs \
    45. 

  45.             --format json \
    46. 

  46.             --output trivy-results.json \
    47. 

  47.             --severity CRITICAL,HIGH \
    48. 

  48.             --vuln-type os,library \
    49. 

  49.             --no-progress \
    50. 

  50.             --exit-code 1 .
    51. 

  51. 

  52.       - name: Upload Trivy JSON report as artifact
    53. 

  53.         if: steps.trivy-scan.outcome == 'failure'
    54. 

  54.         uses: actions/upload-artifact@v7
    55. 

  55.         with:
    56. 

  56.           name: trivy-json-report
    57. 

  57.           path: trivy-results.json
    58. 

  58.           retention-days: 1
    59. 

  59. 

  60.       - name: Upload SARIF to GitHub Security tab
    61. 

  61.         if: always()
    62. 

  62.         uses: github/codeql-action/upload-sarif@v4
    63. 

  63.         with:
    64. 

  64.           sarif_file: 'trivy-results.sarif'
    65. 

  65.           category: trivy-fs
    66. 

  66. 

  67.       - name: Print vulnerability details and fail job
    68. 

  68.         
    69. 

  69.         if: steps.trivy-scan.outcome == 'failure'
    70. 

  70.         run: |
    71. 

  71.           echo "🛑 Trivy scan found CRITICAL or HIGH severity vulnerabilities. Details:"
    72. 

  72.           echo "--------------------------------------------------------------------"
    73. 

  73.           # Parse the JSON report and print a summary of each vulnerability
    74. 

  74.           jq -r '.Results[] | .Target as $target | if .Vulnerabilities then .Vulnerabilities[] | "File: \($target)\nPackage: \(.PkgName) (\(.InstalledVersion))\nID: \(.VulnerabilityID)\nSeverity: \(.Severity)\nLink: \(.PrimaryURL)\n--------------------------------------------------------------------" else empty end' trivy-results.json
    75. 

  75.           # Exit with a failure code to fail the workflow
    76. 

  76.           exit 1
    77.