Skip to content

Commit

Permalink
Improve trivy checks
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmthomas
jmthomas committed Dec 20, 2024
1 parent b25adc7 commit 15bb179
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 61 deletions.
71 changes: 11 additions & 60 deletions .github/workflows/trivy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,12 @@ jobs:
OPENC3_TAG: ${{ github.sha }}
- name: Run Trivy on image ruby
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# See https://github.com/aquasecurity/trivy-action
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-ruby.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: github/codeql-action/upload-sarif@v3
Expand All @@ -53,13 +49,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-node.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true
- name: Upload Trivy scan results
Expand All @@ -73,13 +64,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-base.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -92,13 +78,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-init.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -111,13 +92,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-redis.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -130,13 +106,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-minio.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -149,13 +120,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-operator.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -168,13 +134,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-cmd-tlm-api.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -187,13 +148,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-script-runner-api.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -206,13 +162,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-traefik.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand Down
3 changes: 2 additions & 1 deletion openc3-ruby/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,8 @@ RUN apk update \
&& python3 -m venv /openc3/venv \
&& source /openc3/venv/bin/activate \
&& pip3 config --global set global.index $PYPI_URL/pypi \
&& pip3 config --global set global.index-url $PYPI_URL/simple
&& pip3 config --global set global.index-url $PYPI_URL/simple \
&& pip3 install --upgrade pip setuptools

# Set user and group
ENV IMAGE_USER=openc3
Expand Down

0 comments on commit 15bb179

Please sign in to comment.