t.behrendt/sec-workflows
1
0
Fork 0
Code Issues 2 Pull Requests 4 Actions Releases Activity

Compare commits

base: t.behrendt:refactor-to-osv-scanner
Branches Tags
t.behrendt:main t.behrendt:refactor-to-osv-scanner t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-conventional-semantic-git-tag-increment-0.x t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-actions-0.x t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-trivy-actions-digest
t.behrendt:0.2.4 t.behrendt:0.2.3 t.behrendt:0.2.2 t.behrendt:0.2.1 t.behrendt:0.2.0 t.behrendt:0.1.2-rc-97ed0a241c52e8ce2fe90ae3b2c551d7256858a3 t.behrendt:0.1.1 t.behrendt:0.2.0-rc-4dde0beec8ac4781e9da3e43fcb27eb26c7d1a92 t.behrendt:0.1.0 t.behrendt:0.1.0-rc-f0811239154d86afcc96faf56f8fd7c1f14a9f7c
..
compare: t.behrendt:da81a20210e69b63b646b0ca3aa9c39a4fe048b8
Branches Tags
t.behrendt:refactor-to-osv-scanner t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-conventional-semantic-git-tag-increment-0.x t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-actions-0.x t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-trivy-actions-digest t.behrendt:main
t.behrendt:0.2.4 t.behrendt:0.2.3 t.behrendt:0.2.2 t.behrendt:0.2.1 t.behrendt:0.2.0 t.behrendt:0.1.2-rc-97ed0a241c52e8ce2fe90ae3b2c551d7256858a3 t.behrendt:0.1.1 t.behrendt:0.2.0-rc-4dde0beec8ac4781e9da3e43fcb27eb26c7d1a92 t.behrendt:0.1.0 t.behrendt:0.1.0-rc-f0811239154d86afcc96faf56f8fd7c1f14a9f7c

1 Commits
refactor-t ... da81a20210

Author SHA1 Message Date
Renovate Bot
da81a20210 chore(deps): update https://gitea.t000-n.de/t.behrendt/actions action to v0.2.1
All checks were successful
renovate/stability-days Updates have met minimum release age requirement
Details
2026-03-07 11:13:45 +00:00
3 changed files with 242 additions and 118 deletions
Expand all files Collapse all files

75
.gitea/workflows/run-sec-scan.yaml
View File

@@ -1,75 +0,0 @@
name: Run Sec Scan
on:
workflow_call:
inputs:
ecosystems:
description: "Comma-separated ecosystems for setup-osv-db (see sec-actions/setup-osv-db)."
required: false
type: string
default: "github-actions,npm,go,docker"
cache-bucket-hours:
description: "Cache key time bucket (hours) for setup-osv-db."
required: false
type: number
default: 24
osv-scanner-image:
description: "Container image for OSV-Scanner (run with hardened docker options)."
required: false
type: string
default: "ghcr.io/google/osv-scanner:latest"
outputs:
merged-sarif-artifact:
description: "Artifact name containing the SARIF file (download this artifact; file inside is merged-sarif.json)."
value: ${{ jobs.osv-scan.outputs.merged-sarif-artifact }}
merged-sarif-path:
description: "Path to the SARIF file inside the artifact (merged-sarif.json)."
value: ${{ jobs.osv-scan.outputs.merged-sarif-path }}
jobs:
osv-scan:
runs-on: ubuntu-latest
outputs:
merged-sarif-artifact: ${{ steps.meta.outputs.merged-sarif-artifact }}
merged-sarif-path: ${{ steps.meta.outputs.merged-sarif-path }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup offline OSV DB
id: setup-db
uses: https://gitea.t000-n.de/t.behrendt/sec-actions/setup-osv-db@main
with:
ecosystems: ${{ inputs.ecosystems }}
cache-bucket-hours: ${{ inputs.cache-bucket-hours }}
- name: Run OSV-Scanner in Docker (offline, no network, read-only)
id: scan
run: |
set -euo pipefail
SARIF_HOST_DIR="${RUNNER_TEMP}/osv-sarif-out"
mkdir -p "${SARIF_HOST_DIR}"
CACHE="${{ steps.setup-db.outputs.cache-dir }}"
IMAGE="${{ inputs.osv-scanner-image }}"
docker run --rm \
--network none \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=256m \
--cap-drop ALL \
--security-opt no-new-privileges \
-v "${GITHUB_WORKSPACE}:/work:ro" \
-v "${CACHE}:/osv-db:ro" \
-v "${SARIF_HOST_DIR}:/out" \
-e OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY=/osv-db \
"${IMAGE}" \
scan source --offline-vulnerabilities --format sarif --output /out/merged-sarif.json -r /work
- name: Artifact metadata
id: meta
run: |
echo "merged-sarif-artifact=merged-sarif" >> "$GITHUB_OUTPUT"
echo "merged-sarif-path=merged-sarif.json" >> "$GITHUB_OUTPUT"
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: merged-sarif
path: ${{ runner.temp }}/osv-sarif-out/merged-sarif.json

192
.gitea/workflows/run-trivy-scan.yaml Normal file
View File

@@ -0,0 +1,192 @@
name: Run Trivy Scan
on:
workflow_call:
inputs:
scan-config:
description: "Run Trivy config scan (repository root)."
required: false
type: boolean
default: false
scan-images:
description: "Run Trivy image scan on images from image-scan-files."
required: false
type: boolean
default: false
image-scan-files:
description: "YAML list of files to extract container images from. Used when scan-images is true."
required: false
type: string
default: ""
trivy-server-url:
description: "Optional Trivy server URL for image scan."
required: false
type: string
default: ""
scan-fs:
description: "Run Trivy file system scan on the repository root."
required: false
type: boolean
default: false
outputs:
merged-sarif-artifact:
description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)."
value: ${{ jobs.merge.outputs.merged-sarif-artifact }}
merged-sarif-path:
description: "Path to the merged SARIF file inside the artifact (merged-sarif.json)."
value: ${{ jobs.merge.outputs.merged-sarif-path }}
jobs:
config-scan:
if: inputs.scan-config
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
- run: |
trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json .
env:
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: config-sarif
path: config-sarif.json
image-scan:
if: inputs.scan-images
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
- name: Get images from files
id: get-images
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
with:
files: ${{ inputs.image-scan-files }}
- name: Pull images
if: steps.get-images.outputs.images != '[]'
run: |
set -e
images='${{ steps.get-images.outputs.images }}'
for img in $(echo "$images" | jq -r '.[]'); do
docker pull "$img"
done
- name: Scan images
id: scan
if: steps.get-images.outputs.images != '[]'
run: |
set -e
images='${{ steps.get-images.outputs.images }}'
count=$(echo "$images" | jq 'length')
if [ "$count" -eq 0 ]; then
echo "count=0" >> "$GITHUB_OUTPUT"
exit 0
fi
i=0
server="${{ inputs.trivy-server-url }}"
for img in $(echo "$images" | jq -r '.[]'); do
args=(image --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img")
[ -n "$server" ] && args+=(--server "$server")
trivy "${args[@]}"
i=$((i + 1))
done
{
echo "files<<EOF"
for j in $(seq 0 $((i - 1))); do echo " - sarif-image-${j}.json"; done
echo "EOF"
} >> $GITHUB_OUTPUT
echo "count=$i" >> $GITHUB_OUTPUT
env:
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
- name: Merge image SARIF files
if: steps.get-images.outputs.images != '[]' && steps.scan.outputs.count != '0'
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
with:
files: ${{ steps.scan.outputs.files }}
output-file: image-sarif.json
- name: Ensure image SARIF exists (no images case)
if: steps.get-images.outputs.images == '[]' || steps.scan.outputs.count == '0'
run: |
echo '{"version":"2.1.0","$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","runs":[]}' > image-sarif.json
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: image-sarif
path: image-sarif.json
fs-scan:
if: inputs.scan-fs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
- run: |
server="${{ inputs.trivy-server-url }}"
args=(fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln .)
[ -n "$server" ] && args+=(--server "$server")
trivy "${args[@]}"
env:
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: fs-sarif
path: fs-sarif.json
merge:
runs-on: ubuntu-latest
needs: [config-scan, image-scan, fs-scan]
if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images)
outputs:
merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }}
merged-sarif-path: ${{ steps.outputs.outputs.merged-sarif-path }}
steps:
- name: Require at least one scan
if: ${{ !inputs.scan-config && !inputs.scan-images }}
run: |
echo "Enable scan-config and/or scan-images (and provide image-scan-files for image scan)."
exit 1
- name: Download config SARIF
if: inputs.scan-config
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
with:
name: config-sarif
path: config-sarif-artifact
- name: Download image SARIF
if: inputs.scan-images
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
with:
name: image-sarif
path: image-sarif-artifact
- name: Build merge file list
id: file-list
run: |
files=""
if [ "${{ inputs.scan-config }}" = "true" ] && [ -f config-sarif-artifact/config-sarif.json ]; then
files="- config-sarif-artifact/config-sarif.json"
fi
if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then
[ -n "$files" ] && files="$files"$'\n'" - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json"
fi
if [ "${{ inputs.scan-fs }}" = "true" ] && [ -f fs-sarif-artifact/fs-sarif.json ]; then
[ -n "$files" ] && files="$files"$'\n'" - fs-sarif-artifact/fs-sarif.json" || files="- fs-sarif-artifact/fs-sarif.json"
fi
echo "files<<EOF" >> "$GITHUB_OUTPUT"
echo "$files" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
- name: Merge SARIF files
id: merge-step
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
with:
files: ${{ steps.file-list.outputs.files }}
output-file: merged-sarif.json
- name: Set outputs
id: outputs
run: |
echo "merged-sarif-artifact=merged-sarif" >> "$GITHUB_OUTPUT"
echo "merged-sarif-path=merged-sarif.json" >> "$GITHUB_OUTPUT"
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: merged-sarif
path: merged-sarif.json

93
README.md
View File

@@ -1,16 +1,10 @@
# Sec Workflows
# Trivy Workflows
## Run Sec Scan (reusable workflow)
## Run Trivy Scan (reusable workflow)
Reusable workflow that restores the [OSV-Scanner](https://google.github.io/osv-scanner/) offline vulnerability database via **`setup-osv-db`**, runs **`osv-scanner scan source`** with **`--offline-vulnerabilities`**, and publishes a single SARIF artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`).
Reusable workflow that optionally runs Trivy config and/or image scan, merges the SARIF results, and exposes the merged file as an artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`).
Scanning uses [Google OSV](https://osv.dev/) data (not Trivy). The scanner runs **only** inside Docker with **no container network**, a **read-only** root filesystem (plus a small **`tmpfs`** for `/tmp`), **all capabilities dropped**, and **`no-new-privileges`**. The workspace and the local OSV DB are bind-mounted **read-only**; SARIF is written to a dedicated host directory mounted read-write at `/out` in the container.
**Workflow file:** [.gitea/workflows/run-sec-scan.yaml](.gitea/workflows/run-sec-scan.yaml)
### Offline DB (`setup-osv-db`)
The workflow uses the **`setup-osv-db`** action from the **`sec-actions`** repository (replacing the former `trivy-actions` / `setup-trivy` flow). That action prepares `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` for use with `--offline-vulnerabilities` (see [OSV-Scanner offline mode](https://google.github.io/osv-scanner/usage/offline-mode/)).
**Workflow file:** [../.gitea/workflows/run-trivy-scan.yaml](../.gitea/workflows/run-trivy-scan.yaml)
## Usage
@@ -18,69 +12,82 @@ The workflow uses the **`setup-osv-db`** action from the **`sec-actions`** repos
```yaml
jobs:
sec:
uses: ./.gitea/workflows/run-sec-scan.yaml
trivy:
uses: ./.gitea/workflows/run-trivy-scan.yaml
with:
ecosystems: PyPI,npm,Go
cache-bucket-hours: 6
scan-config: true
scan-images: true
image-scan-files: |
- k8s/31_deployment_redis.yaml
- k8s/32_deployment_gitea.yaml
- dockers/runner/compose.yaml
trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
use-sarif:
needs: sec
needs: trivy
runs-on: ubuntu-latest
steps:
- name: Download SARIF
- name: Download merged SARIF
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
with:
name: ${{ needs.sec.outputs.merged-sarif-artifact }}
name: ${{ needs.trivy.outputs.merged-sarif-artifact }}
path: sarif
# Path to file: sarif/${{ needs.sec.outputs.merged-sarif-path }}
# Path to file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
# - uses: .../tas-upload-sarif@...
# with:
# sarif-file: sarif/${{ needs.sec.outputs.merged-sarif-path }}
# sarif-file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
```
### Call from another repository
Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../sec-actions/run-sec-scan@ref`.
Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../trivy-actions/run-trivy-scan@ref`.
**With absolute URL:**
```yaml
jobs:
sec:
uses: https://gitea.t000-n.de/t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0
trivy:
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
with:
ecosystems: github-actions,npm,go,Alpine
ref: 1.4.5 # use same ref as in 'uses' so actions load from trivy-actions
scan-config: true
scan-images: true
image-scan-files: |
- k8s/31_deployment_redis.yaml
trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
```
**With owner/repo path** (same server as the caller):
```yaml
jobs:
sec:
uses: t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0
trivy:
uses: t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
with:
ecosystems: github-actions,npm,go,docker
ref: 1.4.5 # use same ref as in 'uses'
scan-config: true
scan-images: true
image-scan-files: |
- k8s/31_deployment_redis.yaml
```
Pin the same tag or commit in `uses:` that you intend to run. Reusable actions referenced **inside** this workflow (for example `sec-actions/setup-osv-db`) are pinned in the workflow file; update that repo reference when you release new **sec-actions** versions.
When calling from another repo, pass **`ref`** with the same ref as in the workflow path (e.g. `@1.4.5` or commit SHA). The workflow checks out trivy-actions at that ref into `trivy-actions/` and then uses the actions from that checkout (e.g. `./trivy-actions/setup-trivy`).
### Inputs
| Input | Type | Default | Description |
| --------------------- | ------ | ----------------------------------- | --------------------------------------------------------------------------- |
| `ecosystems` | string | `github-actions,npm,go,docker` | Passed to **`setup-osv-db`** (`docker` maps to **Linux** in that action). |
| `cache-bucket-hours` | number | `24` | Passed to **`setup-osv-db`** for `actions/cache` key bucketing. |
| `osv-scanner-image` | string | `ghcr.io/google/osv-scanner:latest` | Image for the hardened **`docker run`** (offline scan; no network in run). Pin a digest or tag for reproducibility. |
| Input | Type | Default | Description |
| ------------------- | ------- | ------- | ----------- |
| `scan-config` | boolean | false | Run Trivy config scan on the repository root. |
| `scan-images` | boolean | false | Run Trivy image scan on images from `image-scan-files`. |
| `image-scan-files` | string | "" | YAML list of files to extract container images from. |
| `trivy-server-url` | string | "" | Optional Trivy server URL for image scan. |
| `ref` | string | "main" | Git ref to checkout (branch, tag, or SHA); use the same ref as in the workflow path when calling from another repo. |
| `repository-url` | string | "https://gitea.t000-n.de/t.behrendt/trivy-actions.git" | Clone URL for trivy-actions; for private repos use a URL with token or SSH. |
At least one of `scan-config` or `scan-images` must be true. If `scan-images` is true, set `image-scan-files`.
### Outputs
| Output | Description |
| ----------------------- | ------------------------------------------------------------------- |
| `merged-sarif-artifact` | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). |
| `merged-sarif-path` | Path to the file inside that artifact (e.g. `merged-sarif.json`). |
| Output | Description |
| ------------------------ | ----------- |
| `merged-sarif-artifact` | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). |
| `merged-sarif-path` | Path to the file inside that artifact (e.g. `merged-sarif.json`). |
After downloading the artifact, the SARIF file is at `<download-path>/${{ needs.<job>.outputs.merged-sarif-path }}`.
## Migration from Trivy
Earlier revisions used **Trivy** (`setup-trivy`, `setup-db` from **trivy-actions**) for config, filesystem, and image scans. This workflow now targets **OSV-Scanner** source scans with an **offline OSV database** only. Replacing IaC or container-image vulnerability semantics may require additional tooling outside this repository.
After downloading the artifact, the merged SARIF file is at `<download-path>/${{ needs.<job>.outputs.merged-sarif-path }}`.