-
Notifications
You must be signed in to change notification settings - Fork 314
183 lines (183 loc) · 6.42 KB
/
sec-checks.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
name: security-checks
on:
push:
branches:
- main
pull_request:
jobs:
trivy-file-system:
name: Trivy fs scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v 0.24.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'table'
output: './results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
exit-code: '1'
# trivy-config: trivy.yaml
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: trivy-fs-scan-results
path: ./results.txt
trivy-docker-image:
name: Trivy docker image scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
kics-docker: [ "Dockerfile" ]
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
- name: Build
id: docker_build
uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
with:
load: true
context: ./
file: ./${{ matrix.kics-docker }}
builder: ${{ steps.buildx.outputs.name }}
push: false
tags: kics:sec-trivy-tests-${{ github.sha }}
build-args: |
VERSION=development
COMMIT=${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v 0.24.0
with:
image-ref: kics:sec-trivy-tests-${{ github.sha }}
ignore-unfixed: true
vuln-type: 'os,library'
format: 'table'
output: './results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
ignore-policy: './trivy-ignore.rego'
# trivy-config: trivy.image.yaml
exit-code: '1'
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: trivy-docker-image-scan-results
path: ./results.txt
grype-file-system:
name: Grype fs scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Grype vulnerability scanner in repo mode
id: grype-fs-scan
uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
with:
path: "."
only-fixed: true
output-format: table
severity-cutoff: low
fail-build: true
grype-docker-image:
name: Grype docker image scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
kics-docker: [ "Dockerfile" ]
steps:
- name: Check out code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
- name: Build
id: docker_build
uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
with:
load: true
context: ./
file: ./${{ matrix.kics-docker }}
builder: ${{ steps.buildx.outputs.name }}
push: false
tags: kics:sec-tests-${{ github.sha }}
build-args: |
VERSION=development
COMMIT=${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Scan image
id: grype-image-scan
uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
with:
image: kics:sec-tests-${{ github.sha }}
only-fixed: true
severity-cutoff: low
output-format: table
fail-build: true
govulncheck-file-system:
runs-on: ubuntu-latest
name: govulncheck fs scan
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck scanner in fs mode
run: |
govulncheck -show verbose -C . ./... > ./results.txt || true
bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: govulncheck-fs-scan-results
path: ./results.txt
govulncheck-binary:
runs-on: ubuntu-latest
name: govulncheck binary scan
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build kics
run: go build -ldflags "-s -w" -a -installsuffix cgo -o ./bin/kics ./cmd/console/main.go
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck scanner in binary mode
run: |
govulncheck -show verbose -mode=binary ./bin/kics > ./results.txt || true
bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: govulncheck-binary-scan-results
path: ./results.txt