From 15bb179d09a413a7d6df0f8d78564923c2df5ca3 Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Fri, 20 Dec 2024 08:16:53 -0700 Subject: [PATCH] Improve trivy checks --- .github/workflows/trivy.yml | 71 ++++++------------------------------- openc3-ruby/Dockerfile | 3 +- 2 files changed, 13 insertions(+), 61 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 87b87f350..bc24d5b10 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -32,16 +32,12 @@ jobs: OPENC3_TAG: ${{ github.sha }} - name: Run Trivy on image ruby if: ${{ !cancelled() && steps.build.outcome == 'success' }} + # See https://github.com/aquasecurity/trivy-action uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-ruby.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 @@ -53,13 +49,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-node.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml # On a subsequent call to the action we know trivy is already installed so can skip this skip-setup-trivy: true - name: Upload Trivy scan results @@ -73,13 +64,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-base.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -92,13 +78,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-init.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -111,13 +92,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-redis.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -130,13 +106,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-minio.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -149,13 +120,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-operator.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -168,13 +134,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-cmd-tlm-api.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -187,13 +148,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-script-runner-api.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -206,13 +162,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-traefik.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} diff --git a/openc3-ruby/Dockerfile b/openc3-ruby/Dockerfile index 762d5368a..c914c7c28 100644 --- a/openc3-ruby/Dockerfile +++ b/openc3-ruby/Dockerfile @@ -79,7 +79,8 @@ RUN apk update \ && python3 -m venv /openc3/venv \ && source /openc3/venv/bin/activate \ && pip3 config --global set global.index $PYPI_URL/pypi \ - && pip3 config --global set global.index-url $PYPI_URL/simple + && pip3 config --global set global.index-url $PYPI_URL/simple \ + && pip3 install --upgrade pip setuptools # Set user and group ENV IMAGE_USER=openc3