Home Esplora Aiuto
Accedi
akillibulut
/
cost-model
mirror da https://github.com/kubecost/cost-model
2
0
Forka 0
File Problemi 0 Wiki
Ramo (Branch): bolt/default-collector-storage
Rami (Branch) Tag
cost-model
/
.github
/
workflows
/
vulnerability-scan.yaml

vulnerability-scan.yaml 2.4 KB
Permalink Cronologia Originale

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 
  1. name: Trivy Vulnerability Scanner
    2. 

  2. 

  3. permissions:
    4. 

  4.   issues: write
    5. 

  5.   contents: read
    6. 

  6.   security-events: write
    7. 

  7. 

  8. on:
    9. 

  9.   pull_request:
    10. 

  10.     branches:
    11. 

  11.       - develop
    12. 

  12.   push:
    13. 

  13.     branches:
    14. 

  14.       - develop
    15. 

  15. 

  16. jobs:
    17. 

  17.   scan:
    18. 

  18.     name: Scan for Vulnerabilities
    19. 

  19.     runs-on: ubuntu-latest
    20. 

  20.     steps:
    21. 

  21.       - name: Checkout code
    22. 

  22.         uses: actions/checkout@v4
    23. 

  23. 

  24.       - name: Install Trivy
    25. 

  25.         run: |
    26. 

  26.           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
    27. 

  27. 

  28.       - name: Run Trivy scan
    29. 

  29.         id: trivy-scan
    30. 

  30.         continue-on-error: true
    31. 

  31.         run: |
    32. 

  32.           # Generate SARIF report first
    33. 

  33.           trivy fs \
    34. 

  34.             --format template \
    35. 

  35.             --template '@/contrib/sarif.tpl' \
    36. 

  36.             --output trivy-results.sarif \
    37. 

  37.             --severity CRITICAL,HIGH \
    38. 

  38.             --vuln-type os,library \
    39. 

  39.             --no-progress .
    40. 

  40. 

  41.           # Generate JSON report and fail step if vulnerabilities are found
    42. 

  42.           trivy fs \
    43. 

  43.             --format json \
    44. 

  44.             --output trivy-results.json \
    45. 

  45.             --severity CRITICAL,HIGH \
    46. 

  46.             --vuln-type os,library \
    47. 

  47.             --no-progress \
    48. 

  48.             --exit-code 1 .
    49. 

  49. 

  50.       - name: Upload Trivy JSON report as artifact
    51. 

  51.         if: steps.trivy-scan.outcome == 'failure'
    52. 

  52.         uses: actions/upload-artifact@v4
    53. 

  53.         with:
    54. 

  54.           name: trivy-json-report
    55. 

  55.           path: trivy-results.json
    56. 

  56.           retention-days: 1
    57. 

  57. 

  58.       - name: Upload SARIF to GitHub Security tab
    59. 

  59.         if: always()
    60. 

  60.         uses: github/codeql-action/upload-sarif@v3
    61. 

  61.         with:
    62. 

  62.           sarif_file: 'trivy-results.sarif'
    63. 

  63.           category: trivy-fs
    64. 

  64. 

  65.       - name: Print vulnerability details and fail job
    66. 

  66.         
    67. 

  67.         if: steps.trivy-scan.outcome == 'failure'
    68. 

  68.         run: |
    69. 

  69.           echo "🛑 Trivy scan found CRITICAL or HIGH severity vulnerabilities. Details:"
    70. 

  70.           echo "--------------------------------------------------------------------"
    71. 

  71.           # Parse the JSON report and print a summary of each vulnerability
    72. 

  72.           jq -r '.Results[] | .Target as $target | if .Vulnerabilities then .Vulnerabilities[] | "File: \($target)\nPackage: \(.PkgName) (\(.InstalledVersion))\nID: \(.VulnerabilityID)\nSeverity: \(.Severity)\nLink: \(.PrimaryURL)\n--------------------------------------------------------------------" else empty end' trivy-results.json
    73. 

  73.           # Exit with a failure code to fail the workflow
    74. 

  74.           exit 1
    75.