Create trivy workflow#74
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
🔒 Security Scan Results✅ No vulnerabilities found!📦 did-lambda✅ No vulnerabilities found View detailed results: Security tab |
| @@ -0,0 +1,220 @@ | |||
| const fs = require("fs"); | |||
There was a problem hiding this comment.
This is mostly copied from refiner's security-summary.js, but with only functions relevant to the scope of this ticket of work (trivy workflow).
| const errors = imageResults.filter((result) => result.error); | ||
|
|
||
| if (errors.length) { | ||
| message += `### ⚠ Scan incomplete: failed to parse ${errors.length} Trivy result(s).\n\n` | ||
| } |
There was a problem hiding this comment.
Added this small change. If parseScanResults throws while trying to parse the trivy JSON, add this snippet to the PR comment so that JSON parsing failures are not silently ignored.
| if (isLocalActRun) { | ||
| // log the message | ||
| core.info(message); | ||
| return; | ||
| } |
There was a problem hiding this comment.
If this script is run locally, only log the message, as local act runs won't be making comments to any PRs.
| - name: Build image locally (no push) | ||
| uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 | ||
| env: | ||
| DOCKER_BUILD_RECORD_UPLOAD: ${{ !env.ACT }} |
There was a problem hiding this comment.
Disable uploading the build record when running locally with act.
| if: ${{ always() && !env.ACT }} | ||
| with: | ||
| sarif_file: "trivy-${{ matrix.image.name }}-results.sarif" | ||
| category: "pr-scan-${{ matrix.image.name }}" | ||
|
|
||
| - name: Upload JSON results as artifact | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | ||
| if: ${{ always() && !env.ACT }} |
There was a problem hiding this comment.
Trivy uploads also disabled when running the workflow locally with act (for now).
Once nektos/act is updated to support new fields set by actions/upload-artifact (nektos/act#6039), we should be able to remove the && !env.ACT for the Upload JSON step and run the scan-summary job using the --artifact-server-path flag to test this locally .
| // parse `SCAN_IMAGES_CSV` to array | ||
| // ex: 'did-lambda,did-api' -> ['did-lambda', 'did-api'] | ||
| const images = (process.env.SCAN_IMAGES_CSV ?? '') | ||
| .split(',') | ||
| .map((x) => x.trim()) | ||
| .filter(Boolean); |
There was a problem hiding this comment.
Parses the SCAN_IMAGES_CSV env variable set above for what images to build PR summaries for.
This was changed from the original refiner script because the refiner image names were hard-coded in security-summary.js.
Related Issue
#70
Adapted from refiner's workflow: https://github.com/CDCgov/dibbs-ecr-refiner/blob/main/.github/workflows/pr-security-scan.yml
Changes Proposed
.github/workflows/pr-security-scan.yml.github/scripts/security-summary.js.dockerignorefor docker image buildsAdditional Information
All third-party actions are pinned using hashes, following advice earlier this year about reducing supply chain attacks. See:
The workflow can only be triggered manually for now.
Testing
You can see a test run here: https://github.com/CDCgov/dibbs-ecr-diff/actions/runs/29278499288
You can run locally with nektos/act as well with some caveats:
scan-summarydepends on uploaded artifacts, and we cannot test uploading the JSON artifact locally yet, running this locally won't do anythingTo run with act, you can use:
act pull_request -W .github/workflows/pr-security-scan.yml -j build-and-scan -s $GITHUB_TOKENChecklist for Primary Reviewer