Renovate Bot
755e1d877b
Some checks failed
CD / Release (push) Has been cancelled
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [https://gitea.t000-n.de/t.behrendt/trivy-actions](https://gitea.t000-n.de/t.behrendt/trivy-actions) | action | patch | `1.4.5` → `1.4.7` | --- ### Release Notes <details> <summary>t.behrendt/trivy-actions (https://gitea.t000-n.de/t.behrendt/trivy-actions)</summary> ### [`v1.4.7`](https://gitea.t000-n.de/t.behrendt/trivy-actions/compare/1.4.6...1.4.7) [Compare Source](https://gitea.t000-n.de/t.behrendt/trivy-actions/compare/1.4.6...1.4.7) ### [`v1.4.6`](https://gitea.t000-n.de/t.behrendt/trivy-actions/compare/1.4.5...1.4.6) [Compare Source](https://gitea.t000-n.de/t.behrendt/trivy-actions/compare/1.4.5...1.4.6) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjQiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImFjdGlvbiIsImRlcHMiXX0=--> Reviewed-on: t.behrendt/trivy-workflows#10 Reviewed-by: t.behrendt <t.behrendt@noreply.localhost> Co-authored-by: Renovate Bot <renovate@t00n.de> Co-committed-by: Renovate Bot <renovate@t00n.de>
193 lines
8.3 KiB
YAML
193 lines
8.3 KiB
YAML
name: Run Trivy Scan
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
scan-config:
|
|
description: "Run Trivy config scan (repository root)."
|
|
required: false
|
|
type: boolean
|
|
default: false
|
|
scan-images:
|
|
description: "Run Trivy image scan on images from image-scan-files."
|
|
required: false
|
|
type: boolean
|
|
default: false
|
|
image-scan-files:
|
|
description: "YAML list of files to extract container images from. Used when scan-images is true."
|
|
required: false
|
|
type: string
|
|
default: ""
|
|
trivy-server-url:
|
|
description: "Optional Trivy server URL for image scan."
|
|
required: false
|
|
type: string
|
|
default: ""
|
|
scan-fs:
|
|
description: "Run Trivy file system scan on the repository root."
|
|
required: false
|
|
type: boolean
|
|
default: false
|
|
outputs:
|
|
merged-sarif-artifact:
|
|
description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)."
|
|
value: ${{ jobs.merge.outputs.merged-sarif-artifact }}
|
|
merged-sarif-path:
|
|
description: "Path to the merged SARIF file inside the artifact (merged-sarif.json)."
|
|
value: ${{ jobs.merge.outputs.merged-sarif-path }}
|
|
|
|
jobs:
|
|
config-scan:
|
|
if: inputs.scan-config
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
- run: |
|
|
trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json .
|
|
env:
|
|
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
|
|
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
|
|
with:
|
|
name: config-sarif
|
|
path: config-sarif.json
|
|
|
|
image-scan:
|
|
if: inputs.scan-images
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
- name: Get images from files
|
|
id: get-images
|
|
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
with:
|
|
files: ${{ inputs.image-scan-files }}
|
|
- name: Pull images
|
|
if: steps.get-images.outputs.images != '[]'
|
|
run: |
|
|
set -e
|
|
images='${{ steps.get-images.outputs.images }}'
|
|
for img in $(echo "$images" | jq -r '.[]'); do
|
|
docker pull "$img"
|
|
done
|
|
- name: Scan images
|
|
id: scan
|
|
if: steps.get-images.outputs.images != '[]'
|
|
run: |
|
|
set -e
|
|
images='${{ steps.get-images.outputs.images }}'
|
|
count=$(echo "$images" | jq 'length')
|
|
if [ "$count" -eq 0 ]; then
|
|
echo "count=0" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
i=0
|
|
server="${{ inputs.trivy-server-url }}"
|
|
for img in $(echo "$images" | jq -r '.[]'); do
|
|
args=(image --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img")
|
|
[ -n "$server" ] && args+=(--server "$server")
|
|
trivy "${args[@]}"
|
|
i=$((i + 1))
|
|
done
|
|
{
|
|
echo "files<<EOF"
|
|
for j in $(seq 0 $((i - 1))); do echo " - sarif-image-${j}.json"; done
|
|
echo "EOF"
|
|
} >> $GITHUB_OUTPUT
|
|
echo "count=$i" >> $GITHUB_OUTPUT
|
|
env:
|
|
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
|
|
- name: Merge image SARIF files
|
|
if: steps.get-images.outputs.images != '[]' && steps.scan.outputs.count != '0'
|
|
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
with:
|
|
files: ${{ steps.scan.outputs.files }}
|
|
output-file: image-sarif.json
|
|
- name: Ensure image SARIF exists (no images case)
|
|
if: steps.get-images.outputs.images == '[]' || steps.scan.outputs.count == '0'
|
|
run: |
|
|
echo '{"version":"2.1.0","$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","runs":[]}' > image-sarif.json
|
|
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
|
|
with:
|
|
name: image-sarif
|
|
path: image-sarif.json
|
|
|
|
fs-scan:
|
|
if: inputs.scan-fs
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
- run: |
|
|
server="${{ inputs.trivy-server-url }}"
|
|
args=(fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln .)
|
|
[ -n "$server" ] && args+=(--server "$server")
|
|
trivy "${args[@]}"
|
|
env:
|
|
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
|
|
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
|
|
with:
|
|
name: fs-sarif
|
|
path: fs-sarif.json
|
|
|
|
merge:
|
|
runs-on: ubuntu-latest
|
|
needs: [config-scan, image-scan, fs-scan]
|
|
if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images)
|
|
outputs:
|
|
merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }}
|
|
merged-sarif-path: ${{ steps.outputs.outputs.merged-sarif-path }}
|
|
steps:
|
|
- name: Require at least one scan
|
|
if: ${{ !inputs.scan-config && !inputs.scan-images }}
|
|
run: |
|
|
echo "Enable scan-config and/or scan-images (and provide image-scan-files for image scan)."
|
|
exit 1
|
|
- name: Download config SARIF
|
|
if: inputs.scan-config
|
|
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
|
|
with:
|
|
name: config-sarif
|
|
path: config-sarif-artifact
|
|
- name: Download image SARIF
|
|
if: inputs.scan-images
|
|
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
|
|
with:
|
|
name: image-sarif
|
|
path: image-sarif-artifact
|
|
- name: Build merge file list
|
|
id: file-list
|
|
run: |
|
|
files=""
|
|
if [ "${{ inputs.scan-config }}" = "true" ] && [ -f config-sarif-artifact/config-sarif.json ]; then
|
|
files="- config-sarif-artifact/config-sarif.json"
|
|
fi
|
|
if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then
|
|
[ -n "$files" ] && files="$files"$'\n'" - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json"
|
|
fi
|
|
if [ "${{ inputs.scan-fs }}" = "true" ] && [ -f fs-sarif-artifact/fs-sarif.json ]; then
|
|
[ -n "$files" ] && files="$files"$'\n'" - fs-sarif-artifact/fs-sarif.json" || files="- fs-sarif-artifact/fs-sarif.json"
|
|
fi
|
|
echo "files<<EOF" >> "$GITHUB_OUTPUT"
|
|
echo "$files" >> "$GITHUB_OUTPUT"
|
|
echo "EOF" >> "$GITHUB_OUTPUT"
|
|
- name: Merge SARIF files
|
|
id: merge-step
|
|
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@a6508d695d7bb6137f14372392d5c312c98225cf # 1.4.7
|
|
with:
|
|
files: ${{ steps.file-list.outputs.files }}
|
|
output-file: merged-sarif.json
|
|
- name: Set outputs
|
|
id: outputs
|
|
run: |
|
|
echo "merged-sarif-artifact=merged-sarif" >> "$GITHUB_OUTPUT"
|
|
echo "merged-sarif-path=merged-sarif.json" >> "$GITHUB_OUTPUT"
|
|
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
|
|
with:
|
|
name: merged-sarif
|
|
path: merged-sarif.json
|