From 225633798fbf1f74a106209c88ac650c499dd352 Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Tue, 8 Jul 2025 14:53:56 -0700 Subject: [PATCH 01/12] add trivy scanning --- .github/workflows/build.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 86e860d..3debe3a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,6 +16,7 @@ jobs: permissions: contents: read packages: write + security-events: write steps: - name: Checkout uses: actions/checkout@v4 @@ -53,3 +54,17 @@ jobs: tags: ${{ steps.meta.outputs.tags }} cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ env.CACHE_TAG }} cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ env.CACHE_TAG }},mode=max + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.32.0 + with: + image-ref: '{{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ github.sha }}' + severity: CRITIICAL,HIGH,MEDIUM + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' From 7abf1bb0b4121914f547990ed88b751f1dcb8f4d Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Tue, 8 Jul 2025 14:56:49 -0700 Subject: [PATCH 02/12] add security permission to parent workflows --- .github/workflows/build-update-gitops-pr-branch.yaml | 1 + .github/workflows/build-update-gitops.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/build-update-gitops-pr-branch.yaml b/.github/workflows/build-update-gitops-pr-branch.yaml index 4ab0179..9d91d06 100644 --- a/.github/workflows/build-update-gitops-pr-branch.yaml +++ b/.github/workflows/build-update-gitops-pr-branch.yaml @@ -46,6 +46,7 @@ jobs: permissions: contents: read packages: write + security-events: write if: ${{ (needs.get-build-mode.outputs.SHOULD_BUILD == 'true') || (needs.get-build-mode.outputs.SHOULD_BUILD_DEPLOY == 'true') }} uses: ./.github/workflows/build.yaml diff --git a/.github/workflows/build-update-gitops.yaml b/.github/workflows/build-update-gitops.yaml index 07572ec..03506ac 100644 --- a/.github/workflows/build-update-gitops.yaml +++ b/.github/workflows/build-update-gitops.yaml @@ -27,6 +27,7 @@ jobs: permissions: contents: read packages: write + security-events: write uses: ./.github/workflows/build.yaml get-short-sha: From 4edbc664f906894fdacaa93d43599e36836fad5d Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Tue, 8 Jul 2025 14:59:28 -0700 Subject: [PATCH 03/12] fix typo --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3debe3a..22e6cc2 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -58,7 +58,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.32.0 with: - image-ref: '{{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ github.sha }}' + image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ github.sha }}' severity: CRITIICAL,HIGH,MEDIUM format: 'sarif' output: 'trivy-results.sarif' From f1f6d31907b6e3169e66769c830551811cd4fa6d Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Tue, 8 Jul 2025 15:08:43 -0700 Subject: [PATCH 04/12] get tag from meta --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 22e6cc2..70b9bae 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -58,7 +58,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.32.0 with: - image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ github.sha }}' + image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ steps.meta.outputs.version }}' severity: CRITIICAL,HIGH,MEDIUM format: 'sarif' output: 'trivy-results.sarif' From aa17e0dbc1f5ae89cabe4976175eb8658cd9e1e7 Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Tue, 8 Jul 2025 15:17:09 -0700 Subject: [PATCH 05/12] trying with all severity levels --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 70b9bae..78fc11a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -59,7 +59,7 @@ jobs: uses: aquasecurity/trivy-action@0.32.0 with: image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ steps.meta.outputs.version }}' - severity: CRITIICAL,HIGH,MEDIUM + #severity: CRITIICAL,HIGH,MEDIUM format: 'sarif' output: 'trivy-results.sarif' From f25a94e60674764c1bc7c6e82856479283d971cb Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Tue, 8 Jul 2025 15:25:35 -0700 Subject: [PATCH 06/12] Use sarif template --- .github/workflows/build.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 78fc11a..128c1ce 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,7 +60,8 @@ jobs: with: image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ steps.meta.outputs.version }}' #severity: CRITIICAL,HIGH,MEDIUM - format: 'sarif' + format: 'template' + template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab From 93b2b598bc30795b7a872458b49c5e93fc61cbe2 Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Wed, 9 Jul 2025 11:15:31 -0700 Subject: [PATCH 07/12] testing trivy --- .github/workflows/build.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 128c1ce..8ce3f80 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -64,6 +64,13 @@ jobs: template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' + - name: Check Trivy results + run: | + echo "Trivy results file size:" + ls -la trivy-results.sarif + echo "First 50 lines of results:" + head -50 trivy-results.sarif + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() From 61c06bcdf24844b4696e30813ffd45246c0c02bb Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Fri, 11 Jul 2025 10:05:53 -0700 Subject: [PATCH 08/12] debugging --- .github/workflows/build.yaml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8ce3f80..02329ce 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -59,18 +59,27 @@ jobs: uses: aquasecurity/trivy-action@0.32.0 with: image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ steps.meta.outputs.version }}' - #severity: CRITIICAL,HIGH,MEDIUM + severity: 'CRITICAL,HIGH,MEDIUM,LOW' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - name: Check Trivy results run: | - echo "Trivy results file size:" - ls -la trivy-results.sarif - echo "First 50 lines of results:" - head -50 trivy-results.sarif + run: | + echo "=== SARIF file content ===" + cat trivy-results.sarif + echo "=== Results count ===" + grep -c '"ruleId"' trivy-results.sarif || echo "No vulnerabilities found" + - name: Validate SARIF file + run: | + echo "=== Checking for results in SARIF ===" + if grep -q '"results":\s*\[\s*\]' trivy-results.sarif; then + echo "SARIF file contains empty results array - no vulnerabilities found" + else + echo "SARIF file contains results" + fi - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() From e54b62baa5e6328b8fbcdf0cfaaf4cc12cb2f456 Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Fri, 11 Jul 2025 10:29:48 -0700 Subject: [PATCH 09/12] add branch to tag --- .github/workflows/build.yaml | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 02329ce..1cdda6f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -32,6 +32,7 @@ jobs: tags: | type=sha type=ref,event=pr + type=ref,event=branch - name: Login to GHCR uses: docker/login-action@v3 with: @@ -59,27 +60,10 @@ jobs: uses: aquasecurity/trivy-action@0.32.0 with: image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ steps.meta.outputs.version }}' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' + severity: 'CRITICAL,HIGH,MEDIUM' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - - - name: Check Trivy results - run: | - run: | - echo "=== SARIF file content ===" - cat trivy-results.sarif - echo "=== Results count ===" - grep -c '"ruleId"' trivy-results.sarif || echo "No vulnerabilities found" - - - name: Validate SARIF file - run: | - echo "=== Checking for results in SARIF ===" - if grep -q '"results":\s*\[\s*\]' trivy-results.sarif; then - echo "SARIF file contains empty results array - no vulnerabilities found" - else - echo "SARIF file contains results" - fi - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() From 3ff5e6cfb1946196a057741f5c993d4ef6ac2957 Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Fri, 11 Jul 2025 10:40:25 -0700 Subject: [PATCH 10/12] add branch name to tag try 2 --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1cdda6f..15c15a8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -32,7 +32,7 @@ jobs: tags: | type=sha type=ref,event=pr - type=ref,event=branch + type=raw,value=${{ github.ref_name }} - name: Login to GHCR uses: docker/login-action@v3 with: From 0f27de3c5a50e1f853426aa5cf5c6d649486c5e7 Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Fri, 11 Jul 2025 13:59:26 -0700 Subject: [PATCH 11/12] Added scheduled run --- .github/workflows/build.yaml | 4 +++- .github/workflows/scheduled.yaml | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/scheduled.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 15c15a8..77eb8f0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -60,10 +60,12 @@ jobs: uses: aquasecurity/trivy-action@0.32.0 with: image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ steps.meta.outputs.version }}' - severity: 'CRITICAL,HIGH,MEDIUM' + severity: 'CRITICAL,HIGH' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' + + # To review results for a PR in the GitHub Security tab, filter for "pr:NUM tool:Trivy is:open" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() diff --git a/.github/workflows/scheduled.yaml b/.github/workflows/scheduled.yaml new file mode 100644 index 0000000..7711381 --- /dev/null +++ b/.github/workflows/scheduled.yaml @@ -0,0 +1,14 @@ +name: Scheduled trivy scan + +on: + workflow_dispatch: + schedule: + - cron: '30 8 * * 1' + +jobs: + call-build-workflow: + permissions: + contents: read + packages: write + security-events: write + uses: ./.github/workflows/build.yaml From 943327cbcb35e1a4c40e963abc91b90052e79813 Mon Sep 17 00:00:00 2001 From: Monica Granbois Date: Thu, 17 Jul 2025 11:54:56 -0700 Subject: [PATCH 12/12] removed template, it is deprecated --- .github/workflows/build.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 77eb8f0..af7d585 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -61,8 +61,7 @@ jobs: with: image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ steps.meta.outputs.version }}' severity: 'CRITICAL,HIGH' - format: 'template' - template: '@/contrib/sarif.tpl' + format: 'sarif' output: 'trivy-results.sarif' # To review results for a PR in the GitHub Security tab, filter for "pr:NUM tool:Trivy is:open"