|
| 1 | +name: Trivy Scans |
| 2 | + |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + branches: [ "main", "master", "develop" ] |
| 6 | + schedule: |
| 7 | + - cron: '0 0 1 * *' |
| 8 | + push: |
| 9 | + branches: [ "main", "master", "develop" ] |
| 10 | + |
| 11 | +permissions: |
| 12 | + contents: read |
| 13 | + |
| 14 | +jobs: |
| 15 | + build: |
| 16 | + permissions: |
| 17 | + contents: read |
| 18 | + security-events: write # Required for uploading SARIF to GitHub Security tab |
| 19 | + |
| 20 | + name: Build |
| 21 | + runs-on: ubuntu-latest |
| 22 | + steps: |
| 23 | + - name: Checkout code |
| 24 | + uses: actions/checkout@v4 |
| 25 | + |
| 26 | + - name: Build an image from Dockerfile |
| 27 | + run: | |
| 28 | + docker build -t docker.io/kbase/trivy:scan . |
| 29 | +
|
| 30 | + - name: Run Trivy vulnerability scanner |
| 31 | + uses: aquasecurity/trivy-action@master |
| 32 | + with: |
| 33 | + image-ref: "kbase/trivy:scan" |
| 34 | + format: "sarif" |
| 35 | + output: "trivy-results.sarif" |
| 36 | + timeout: "20m" |
| 37 | + ignore-unfixed: true |
| 38 | + severity: 'HIGH,CRITICAL' |
| 39 | + limit-severities-for-sarif: true |
| 40 | + exit-code: '1' # Fail Step if CVE of specified severity is detected |
| 41 | + |
| 42 | + - name: Upload Trivy scan results to GitHub Security tab |
| 43 | + # This step should always run to upload scan results, even if Trivy found issues |
| 44 | + if: always() |
| 45 | + uses: github/codeql-action/upload-sarif@v3 |
| 46 | + with: |
| 47 | + sarif_file: 'trivy-results.sarif' |
| 48 | + |
| 49 | + - name: Save SARIF file for subsequent jobs (1-day retention) |
| 50 | + # Always upload artifact so subsequent job can run, even if previous step failed |
| 51 | + if: always() |
| 52 | + uses: actions/upload-artifact@v4 |
| 53 | + with: |
| 54 | + name: trivy-sarif-results |
| 55 | + path: trivy-results.sarif |
| 56 | + retention-days: 1 # Artifact will be deleted from GitHub storage after 1 day |
| 57 | + |
| 58 | + check_critical_cves: # Renamed job for clarity |
| 59 | + permissions: |
| 60 | + contents: read |
| 61 | + statuses: write # Required to update GitHub commit status |
| 62 | + name: Log4j CVE checker # Name displayed in GitHub Actions UI for this job |
| 63 | + runs-on: ubuntu-latest |
| 64 | + needs: build # This job depends on the 'build' job completing first |
| 65 | + if: always() # Run this job even if the 'build' job failed (e.g., due to Trivy exit code) |
| 66 | + |
| 67 | + steps: |
| 68 | + |
| 69 | + - name: Download SARIF file |
| 70 | + uses: actions/download-artifact@v4 |
| 71 | + with: |
| 72 | + name: trivy-sarif-results |
| 73 | + path: . |
| 74 | + |
| 75 | + - name: Check for specific critical CVEs (Log4j/Spring) |
| 76 | + id: cve_check # ID for this step, used to reference its outputs later |
| 77 | + run: | |
| 78 | + set -e # Exit immediately if a command exits with a non-zero status |
| 79 | +
|
| 80 | + REQUIRED_CVES="CVE-2021-4104 CVE-2021-44228 CVE-2021-45046 CVE-2022-22965" |
| 81 | + SARIF_FILE="trivy-results.sarif" |
| 82 | + FOUND_CRITICAL=false |
| 83 | +
|
| 84 | + # Check if the SARIF file exists after download |
| 85 | + if [ ! -f "$SARIF_FILE" ]; then |
| 86 | + echo "SARIF file not found: $SARIF_FILE. Cannot perform CVE check." |
| 87 | + # Set outputs for GitHub Status to reflect that the check couldn't be performed |
| 88 | + echo "cve_found=false" >> "$GITHUB_OUTPUT" |
| 89 | + echo "status_description=SARIF not available for CVE check." >> "$GITHUB_OUTPUT" |
| 90 | + exit 1 |
| 91 | + fi |
| 92 | +
|
| 93 | + # Loop through each required CVE and check its presence in the SARIF file |
| 94 | + for CVE_ID in $REQUIRED_CVES; do |
| 95 | + # Grep for the exact CVE ID within a JSON "id" field for precision |
| 96 | + if grep -q "\"id\": \"${CVE_ID}\"" "$SARIF_FILE"; then |
| 97 | + echo "::error file=${SARIF_FILE}::CRITICAL CVE detected: ${CVE_ID}" |
| 98 | + FOUND_CRITICAL=true |
| 99 | + # Do not break here; continue to find and report all occurrences |
| 100 | + fi |
| 101 | + done |
| 102 | +
|
| 103 | + # Determine final output and exit code based on whether any critical CVEs were found |
| 104 | + if [ "$FOUND_CRITICAL" = true ]; then |
| 105 | + echo "cve_found=true" >> "$GITHUB_OUTPUT" |
| 106 | + echo "status_description=CRITICAL Log4j/Spring CVEs found!" >> "$GITHUB_OUTPUT" |
| 107 | + echo "Workflow step failed due to specific critical CVEs." |
| 108 | + exit 1 # Fail this step, which will cause the job to show as failed |
| 109 | + else |
| 110 | + echo "cve_found=false" >> "$GITHUB_OUTPUT" |
| 111 | + echo "status_description=No critical Log4j/Spring CVEs found." >> "$GITHUB_OUTPUT" |
| 112 | + exit 0 # Step succeeds |
| 113 | + fi |
0 commit comments