Compare commits
4 Commits
0.0.3
...
0.0.4-rc-6
| Author | SHA1 | Date | |
|---|---|---|---|
| 65059221d3 | |||
| ac31a169e0 | |||
ae60cd79b4
|
|||
| 26ac67db47 |
@@ -13,7 +13,7 @@ jobs:
|
||||
name: Release
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.2
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Increment tag
|
||||
@@ -21,6 +21,7 @@ jobs:
|
||||
uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@af46017d0af5fd6af4425f8e6961f14280a1acd1 # 0.1.26
|
||||
with:
|
||||
token: ${{ secrets.GITEA_TOKEN }}
|
||||
prerelease: ${{ github.event_name == 'workflow_dispatch' }}
|
||||
- name: Push tag
|
||||
uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@1b8fe65eda1ea0a7586a5fd552ef8f4a639b154f # 0.1.3
|
||||
with:
|
||||
|
||||
143
.gitea/workflows/run-tas.yaml
Normal file
143
.gitea/workflows/run-tas.yaml
Normal file
@@ -0,0 +1,143 @@
|
||||
name: Run TAS
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
scan-config:
|
||||
description: "Scan the configuration files"
|
||||
required: false
|
||||
default: false
|
||||
type: boolean
|
||||
image-scan-files:
|
||||
description: "List of files to scan for images"
|
||||
required: false
|
||||
default: ""
|
||||
type: string
|
||||
pre-pull-images:
|
||||
description: "Pre-pull the images"
|
||||
required: false
|
||||
default: false
|
||||
type: boolean
|
||||
trivy-server:
|
||||
description: "Trivy server to use"
|
||||
required: false
|
||||
default: "https://trivy.gitea.t00n.de"
|
||||
type: string
|
||||
tas-base-url:
|
||||
description: "TAS base URL"
|
||||
required: false
|
||||
default: "https://tas.gitea.t00n.de"
|
||||
type: string
|
||||
repository-name:
|
||||
description: "Repository name"
|
||||
required: true
|
||||
type: string
|
||||
branch-name:
|
||||
description: "Branch name"
|
||||
required: true
|
||||
type: string
|
||||
repository-owner:
|
||||
description: "Repository owner"
|
||||
required: true
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
config-scan:
|
||||
runs-on: ubuntu-latest
|
||||
if: inputs.scan-config == true
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.0
|
||||
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.0
|
||||
- run: |
|
||||
trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json .
|
||||
env:
|
||||
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
|
||||
- uses: https://github.com/christopherHX/gitea-upload-artifact@v4
|
||||
with:
|
||||
name: config-sarif
|
||||
path: config-sarif.json
|
||||
|
||||
image-scan:
|
||||
runs-on: ubuntu-latest
|
||||
if: inputs.image-scan-files != ""
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.0
|
||||
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.0
|
||||
- name: Get Images From Files
|
||||
id: get-images
|
||||
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@1.4.0
|
||||
with:
|
||||
files: ${{ inputs.image-scan-files }}
|
||||
- name: Pull images
|
||||
if: inputs.pre-pull-images == true
|
||||
run: |
|
||||
set -e
|
||||
images='${{ steps.get-images.outputs.images }}'
|
||||
for img in $(echo "$images" | jq -r '.[]'); do
|
||||
docker pull "$img"
|
||||
done
|
||||
- name: Scan images
|
||||
id: scan
|
||||
run: |
|
||||
set -e
|
||||
images='${{ steps.get-images.outputs.images }}'
|
||||
count=$(echo "$images" | jq 'length')
|
||||
if [ "$count" -eq 0 ]; then
|
||||
echo "No images found"
|
||||
exit 1
|
||||
fi
|
||||
i=0
|
||||
for img in $(echo "$images" | jq -r '.[]'); do
|
||||
trivy image --cache-dir "$TRIVY_CACHE_DIR" --server ${{ inputs.trivy-server }} --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img"
|
||||
i=$((i + 1))
|
||||
done
|
||||
{
|
||||
echo "files<<EOF"
|
||||
for j in $(seq 0 $((i - 1))); do echo " - sarif-image-${j}.json"; done
|
||||
echo "EOF"
|
||||
} >> $GITHUB_OUTPUT
|
||||
echo "count=$i" >> $GITHUB_OUTPUT
|
||||
env:
|
||||
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
|
||||
- name: Merge image SARIF files
|
||||
if: steps.scan.outputs.count != '0'
|
||||
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.1-rc-e78ced192dbed9db9a04540a2a27c75924f1d5ea
|
||||
with:
|
||||
files: ${{ steps.scan.outputs.files }}
|
||||
output-file: image-sarif.json
|
||||
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
|
||||
with:
|
||||
name: image-sarif
|
||||
path: image-sarif.json
|
||||
|
||||
merge-and-upload:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [config-scan, image-scan]
|
||||
if: inputs.scan-config == true || inputs.image-scan-files != ""
|
||||
steps:
|
||||
- name: Download config SARIF
|
||||
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
|
||||
with:
|
||||
name: config-sarif
|
||||
path: config-sarif-artifact
|
||||
- name: Download image SARIF
|
||||
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
|
||||
with:
|
||||
name: image-sarif
|
||||
path: image-sarif-artifact
|
||||
- name: Merge SARIF files
|
||||
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.1-rc-e78ced192dbed9db9a04540a2a27c75924f1d5ea
|
||||
with:
|
||||
files: |
|
||||
- config-sarif-artifact/config-sarif.json
|
||||
- image-sarif-artifact/image-sarif.json
|
||||
output-file: sarif.json
|
||||
- uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@0.0.2
|
||||
with:
|
||||
tas-base-url: ${{ inputs.tas-base-url }}
|
||||
sarif-file: sarif.json
|
||||
owner: ${{ inputs.repository-owner }}
|
||||
repo: ${{ inputs.repository-name }}
|
||||
branch: ${{ inputs.branch-name }}
|
||||
Reference in New Issue
Block a user