From 2ef9051848a2c33b70652a29d06cb17c361964e4 Mon Sep 17 00:00:00 2001 From: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> Date: Tue, 24 Sep 2024 17:22:56 +0530 Subject: [PATCH 1/5] Create trivy.yml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --- .github/workflows/trivy.yml | 59 +++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..7045346 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,59 @@ +name: Trivy Scan + +on: + push: + branches: + - master + - develop + - develop2 + + pull_request: + branches: + - master + - develop + - develop2 + + +jobs: + trivy-scan: + runs-on: ubuntu-latest + env: + NAMESPACE: ${{ secrets.dev_namespace_docker_hub }} + SERVICE_NAME: databreachdetector + VERSION: latest # Modify this as needed or set dynamically based on your versioning scheme + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build Docker image + run: | + cd "${{ env.SERVICE_LOCATION }}" + docker build . --file Dockerfile --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: 'docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Report vulnerabilities in PR + if: failure() && steps.scan.outcome == 'failure' + env: + GITHUB_TOKEN: ${{ inputs.github_token }} + shell: bash + run: | + echo -n "{\"body\":\"### Vulnerabilities detected\nThe following vulnerabilities of HIGH or CRITICAL severity has been detected in the code. Please resolve these before merging the pull request.\n\n" > result.json + cat trivy.json | sort | uniq | tr -d '\n' >> result.json + echo "\"}" >> result.json + curl -X POST -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + ${{ github.event.pull_request.comments_url }} \ + -d @result.json + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From e1f2cafd342b470ec77df4ed8b4089c3249f8f4b Mon Sep 17 00:00:00 2001 From: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> Date: Tue, 24 Sep 2024 17:30:54 +0530 Subject: [PATCH 2/5] Update trivy.yml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 7045346..2c7ba46 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -29,7 +29,7 @@ jobs: - name: Build Docker image run: | cd "${{ env.SERVICE_LOCATION }}" - docker build . --file Dockerfile --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} + docker build . --file databreachdetector--tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.20.0 From fba4132116d0d3d2e73ecb462abdf5f537a94b6b Mon Sep 17 00:00:00 2001 From: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> Date: Tue, 24 Sep 2024 17:54:17 +0530 Subject: [PATCH 3/5] Update trivy.yml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 2c7ba46..dc8eeab 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -28,8 +28,8 @@ jobs: - name: Build Docker image run: | - cd "${{ env.SERVICE_LOCATION }}" - docker build . --file databreachdetector--tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} + + docker build . --file databreachdetector/Dockerfile --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.20.0 From 3781fe7c57eb84936be655afadbd445e8523744c Mon Sep 17 00:00:00 2001 From: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:21:02 +0530 Subject: [PATCH 4/5] Update trivy.yml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index dc8eeab..0342584 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -29,7 +29,7 @@ jobs: - name: Build Docker image run: | - docker build . --file databreachdetector/Dockerfile --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} + docker build . --file databreachdetector/ --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.20.0 From 2d361b68c6b588942f70afe86d77ed4a618d0e40 Mon Sep 17 00:00:00 2001 From: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:23:13 +0530 Subject: [PATCH 5/5] Update trivy.yml Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 0342584..9f7c880 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -28,8 +28,8 @@ jobs: - name: Build Docker image run: | - - docker build . --file databreachdetector/ --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} + cd "${{ env.SERVICE_LOCATION }}" + docker build . --file databreachdetector/Dockerfile --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.20.0