-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yml
139 lines (138 loc) · 6.45 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: 'Trivy CVE Scan'
description: 'Build Deckhouse module'
inputs:
image:
description: 'URL to a registry image, e.g., registry.example.com/deckhouse/modules/module_name'
required: true
tag:
description: 'module image tag'
required: true
module_name:
description: 'module name'
required: true
dd_url:
description: 'URL to defectDojo'
required: true
dd_token:
description: 'token of defectDojo to upload reports'
required: true
trivy_registry:
description: 'must be deckhouse prod registry, used to get trivy databases'
required: true
trivy_registry_user:
description: 'username to log in to deckhouse prod registry'
required: true
trivy_registry_password:
description: 'password to log in to deckhouse prod registry'
required: true
deckhouse_private_repo:
description: 'url to private repo'
required: true
runs:
using: "composite"
steps:
- name: Get Trivy
shell: bash
env:
TRIVY_BIN_VERSION: "v0.58.1"
TRIVY_REPO_ID: "2181"
DECKHOUSE_PRIVATE_REPO: ${{inputs.deckhouse_private_repo}}
run: |
echo "Get Trivy"
mkdir -p bin/trivy-${TRIVY_BIN_VERSION}
curl https://${DECKHOUSE_PRIVATE_REPO}/api/v4/projects/${TRIVY_REPO_ID}/packages/generic/trivy-${TRIVY_BIN_VERSION}/${TRIVY_BIN_VERSION}/trivy -o bin/trivy-${TRIVY_BIN_VERSION}/trivy
chmod u+x bin/trivy-${TRIVY_BIN_VERSION}/trivy
echo "${PWD}/bin/trivy-${TRIVY_BIN_VERSION}" >> $GITHUB_PATH
bin/trivy-${TRIVY_BIN_VERSION}/trivy clean --all
- name: Run Trivy CVE Scan
shell: bash
env:
SEVERITY: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
IMAGES_DIGESTS_PATH: "/images_digests.json"
IMAGE: ${{inputs.image}}
TAG: ${{inputs.tag}}
MODULE_NAME: ${{inputs.module_name}}
DD_URL: ${{inputs.dd_url}}
DD_TOKEN: ${{inputs.dd_token}}
TRIVY_REGISTRY_USER: ${{inputs.trivy_registry_user}}
TRIVY_REGISTRY_PASSWORD: ${{inputs.trivy_registry_password}}
TRIVY_DB_URL: ${{inputs.trivy_registry}}/deckhouse/ee/security/trivy-db:2
TRIVY_JAVA_DB_URL: ${{inputs.trivy_registry}}/deckhouse/ee/security/trivy-java-db:1
TRIVY_POLICY_URL: ${{inputs.trivy_registry}}/deckhouse/ee/security/trivy-bdu:1
run: |
echo "Run Trivy scan"
echo "Image to check: $IMAGE:$TAG"
echo "Severity: $SEVERITY"
echo "----------------------------------------------"
echo ""
echo "Getting module image"
crane export "$IMAGE:$TAG" "${MODULE_NAME}.tar"
mkdir "$MODULE_NAME"
tar xf "${MODULE_NAME}.tar" -C "${MODULE_NAME}/"
echo "Preparing images list to scan"
digests=$(cat "${MODULE_NAME}${IMAGES_DIGESTS_PATH}")
# Main module images to scan
digests=$(echo "$digests"|jq --arg i "$MODULE_NAME" --arg s "$TAG" '. += { ($i): ($s) }')
echo "Images to scan:"
echo "$digests"
mkdir -p out/json
touch out/.trivyignore
date_iso=$(date -I)
for module_image in $(jq -rc 'to_entries[]' <<< "$digests"); do
IMAGE_NAME=$(jq -rc '.key' <<< "$module_image")
if [[ "$IMAGE_NAME" == "trivy" ]]; then
continue
fi
# Set flag if additional image to use tag instead of hash
additional_image_detected=false
if [ "$IMAGE_NAME" == "$MODULE_NAME" ]; then
additional_image_detected=true
fi
echo "----------------------------------------------"
echo "👾 Image: $IMAGE_NAME"
echo ""
IMAGE_HASH="$(jq -rc '.value' <<< "$module_image")"
IMAGE_REPORT_NAME="$MODULE_NAME::$IMAGE_NAME"
# Output reports per images
echo " Scanning $IMAGE_REPORT_NAME"
if [ "$additional_image_detected" == true ]; then
trivy i --policy "$TRIVY_POLICY_URL" --java-db-repository "$TRIVY_JAVA_DB_URL" --db-repository "$TRIVY_DB_URL" --exit-code 0 --severity "$SEVERITY" --ignorefile "out/.trivyignore" --format table --scanners vuln --quiet "$IMAGE:$TAG"
trivy i --policy "$TRIVY_POLICY_URL" --java-db-repository "$TRIVY_JAVA_DB_URL" --db-repository "$TRIVY_DB_URL" --exit-code 0 --severity "$SEVERITY" --ignorefile "out/.trivyignore" --format json --scanners vuln --output "out/json/d8_${MODULE_NAME}_${IMAGE_NAME}_report.json" --quiet "$IMAGE:$TAG"
else
trivy i --policy "$TRIVY_POLICY_URL" --java-db-repository "$TRIVY_JAVA_DB_URL" --db-repository "$TRIVY_DB_URL" --exit-code 0 --severity "$SEVERITY" --ignorefile "out/.trivyignore" --format table --scanners vuln --quiet "$IMAGE@$IMAGE_HASH"
trivy i --policy "$TRIVY_POLICY_URL" --java-db-repository "$TRIVY_JAVA_DB_URL" --db-repository "$TRIVY_DB_URL" --exit-code 0 --severity "$SEVERITY" --ignorefile "out/.trivyignore" --format json --scanners vuln --output "out/json/d8_${MODULE_NAME}_${IMAGE_NAME}_report.json" --quiet "$IMAGE@$IMAGE_HASH"
fi
echo " Done"
echo ""
echo " Uploading trivy CVE report for image ${IMAGE_NAME} of ${MODULE_NAME} module"
echo ""
curl -s -X POST \
${DD_URL}/api/v2/reimport-scan/ \
-H "accept: application/json" \
-H "Content-Type: multipart/form-data" \
-H "Authorization: Token ${DD_TOKEN}" \
-F "auto_create_context=True" \
-F "minimum_severity=Info" \
-F "active=true" \
-F "verified=true" \
-F "scan_type=Trivy Scan" \
-F "close_old_findings=true" \
-F "do_not_reactivate=false" \
-F "push_to_jira=false" \
-F "file=@out/json/d8_${MODULE_NAME}_${IMAGE_NAME}_report.json" \
-F "product_type_name=Deckhouse images" \
-F "product_name=$MODULE_NAME" \
-F "scan_date=${date_iso}" \
-F "engagement_name=CVE Test: ${MODULE_NAME} Images" \
-F "service=${MODULE_NAME} / ${IMAGE_NAME}" \
-F "group_by=component_name+component_version" \
-F "deduplication_on_engagement=false" \
-F "tags=deckhouse_module,module:${MODULE_NAME},image:${IMAGE_NAME},branch:${TAG}" \
-F "test_title=[${MODULE_NAME}]: ${IMAGE_NAME}:${TAG}" \
-F "version=${TAG}" \
-F "build_id=${IMAGE_HASH}" \
-F "commit_hash=${CI_COMMIT_SHA}" \
-F "branch_tag=${TAG}" \
-F "apply_tags_to_findings=true" \
> /dev/null
done