mirror of
https://github.com/super-linter/super-linter.git
synced 2024-11-29 01:21:05 -05:00
Add trivy scans for container security (#1209)
* Create trivy.yml * Add descriptive names * Add fs mode to catch package.lock issues * use script to get around timeout * use script to get around timeout * set it * set it * update deps * Align with comment style * fix headeer * npm audit fix to patch vulnerabilities Signed-off-by: Zack Koppert <zkoppert@github.com> Co-authored-by: Lukas Gravley <admiralawkbar@github.com>
This commit is contained in:
parent
2e8c31622a
commit
35e2d160a4
4 changed files with 9883 additions and 552 deletions
104
.automation/trivy-security-scan.sh
Executable file
104
.automation/trivy-security-scan.sh
Executable file
|
@ -0,0 +1,104 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
############# Trivy Security Scan @admiralawkbar ###############################
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
###########
|
||||||
|
# Globals #
|
||||||
|
###########
|
||||||
|
GITHUB_WORKSPACE="${GITHUB_WORKSPACE}" # GitHub Workspace
|
||||||
|
REPORT_NAME='report.sarif' # Name of the generated report
|
||||||
|
TEMPLATE_NAME='sarif.tpl' # Name of the template file
|
||||||
|
ERRORS_FOUND=0 # Flag for errors founsd in scan
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
############################ FUNCTIONS BELOW ###################################
|
||||||
|
################################################################################ß
|
||||||
|
################################################################################
|
||||||
|
#### Function Header ###########################################################
|
||||||
|
Header() {
|
||||||
|
echo ""
|
||||||
|
echo "-------------------------------------------------------"
|
||||||
|
echo "--------- Trivy Security Scan on Super-Linter ---------"
|
||||||
|
echo "-------------------------------------------------------"
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
#### Function RunScan ##########################################################
|
||||||
|
RunScan() {
|
||||||
|
###########################
|
||||||
|
# Run the Trivy code scan #
|
||||||
|
###########################
|
||||||
|
echo ""
|
||||||
|
echo "-------------------------------------------------------"
|
||||||
|
echo " Running scan on local code base..."
|
||||||
|
RUN_CMD=$("${GITHUB_WORKSPACE}/trivy" fs --format template --template @"${GITHUB_WORKSPACE}/${TEMPLATE_NAME}" -o "${REPORT_NAME}" --exit-code 1 "${GITHUB_WORKSPACE}" 2>&1)
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# Load the error code #
|
||||||
|
#######################
|
||||||
|
ERROR_CODE=$?
|
||||||
|
|
||||||
|
##############################
|
||||||
|
# Check the shell for errors #
|
||||||
|
##############################
|
||||||
|
if [ $ERROR_CODE -ne 0 ]; then
|
||||||
|
# Erro
|
||||||
|
echo "-------------------------------------------------------"r
|
||||||
|
echo "ERRORS detected in scan!"
|
||||||
|
echo "[${RUN_CMD}]"
|
||||||
|
# bump the count
|
||||||
|
ERRORS_FOUND=1
|
||||||
|
else
|
||||||
|
# Success
|
||||||
|
echo "-------------------------------------------------------"
|
||||||
|
echo "Successfully scanned codebase!"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
#### Function OutputReport #####################################################
|
||||||
|
OutputReport() {
|
||||||
|
########################################
|
||||||
|
# Output the report that was generated #
|
||||||
|
########################################
|
||||||
|
echo ""
|
||||||
|
echo "-------- [${REPORT_NAME}] Results: --------"
|
||||||
|
"${GITHUB_WORKSPACE}/trivy" fs "${GITHUB_WORKSPACE}" 2>&1
|
||||||
|
echo "-----------------------------------------"
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
#### Function Footer ###########################################################
|
||||||
|
Footer() {
|
||||||
|
echo ""
|
||||||
|
echo "-------------------------------------------------------"
|
||||||
|
echo "The step has completed with error code:[${ERRORS_FOUND}]"
|
||||||
|
echo "-------------------------------------------------------"
|
||||||
|
|
||||||
|
########################
|
||||||
|
# Exit with error code #
|
||||||
|
########################
|
||||||
|
exit "${ERRORS_FOUND}"
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
################################## MAIN ########################################
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Header #
|
||||||
|
##########
|
||||||
|
Header
|
||||||
|
|
||||||
|
################
|
||||||
|
# Run the scan #
|
||||||
|
################
|
||||||
|
RunScan
|
||||||
|
|
||||||
|
#################
|
||||||
|
# Output Report #
|
||||||
|
#################
|
||||||
|
OutputReport
|
||||||
|
|
||||||
|
##########
|
||||||
|
# Footer #
|
||||||
|
##########
|
||||||
|
Footer
|
49
.github/workflows/trivy.yml
vendored
Normal file
49
.github/workflows/trivy.yml
vendored
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
name: Container Security Scan with Trivy
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
pull_request:
|
||||||
|
jobs:
|
||||||
|
scan-container:
|
||||||
|
name: Build
|
||||||
|
runs-on: ubuntu-18.04
|
||||||
|
steps:
|
||||||
|
######################
|
||||||
|
# Checkout code base #
|
||||||
|
######################
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
|
# ##########################
|
||||||
|
# # Build the docker image #
|
||||||
|
# ##########################
|
||||||
|
# - name: Build an image from Dockerfile
|
||||||
|
# run: |
|
||||||
|
# docker build -t docker.io/github/super-linter:${{ github.sha }} .
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# Download and install Trivy and template #
|
||||||
|
###########################################
|
||||||
|
- name: Download and Install Trivy
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ${GITHUB_WORKSPACE}
|
||||||
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# Run Trivy Scan of source code #
|
||||||
|
#################################
|
||||||
|
- name: Trivy Scan
|
||||||
|
shell: bash
|
||||||
|
run: ./.automation/trivy-security-scan.sh
|
||||||
|
|
||||||
|
################################
|
||||||
|
# Upload report to secrity tab #
|
||||||
|
################################
|
||||||
|
- name: Upload Trivy scan results to GitHub Security tab
|
||||||
|
uses: github/codeql-action/upload-sarif@v1
|
||||||
|
if: always()
|
||||||
|
with:
|
||||||
|
sarif_file: 'report.sarif'
|
10261
dependencies/package-lock.json
generated
vendored
10261
dependencies/package-lock.json
generated
vendored
File diff suppressed because it is too large
Load diff
7
dependencies/package.json
vendored
7
dependencies/package.json
vendored
|
@ -6,6 +6,7 @@
|
||||||
"@typescript-eslint/eslint-plugin": "^4.0.0",
|
"@typescript-eslint/eslint-plugin": "^4.0.0",
|
||||||
"@typescript-eslint/parser": "^3.10.1",
|
"@typescript-eslint/parser": "^3.10.1",
|
||||||
"asl-validator": "^1.9.4",
|
"asl-validator": "^1.9.4",
|
||||||
|
"axios": "^0.21.1",
|
||||||
"babel-eslint": "^10.1.0",
|
"babel-eslint": "^10.1.0",
|
||||||
"dockerfilelint": "^1.8.0",
|
"dockerfilelint": "^1.8.0",
|
||||||
"eslint": "^7.20.0",
|
"eslint": "^7.20.0",
|
||||||
|
@ -15,10 +16,14 @@
|
||||||
"eslint-plugin-prettier": "^3.3.1",
|
"eslint-plugin-prettier": "^3.3.1",
|
||||||
"gherkin-lint": "^4.1.3",
|
"gherkin-lint": "^4.1.3",
|
||||||
"htmlhint": "^0.14.2",
|
"htmlhint": "^0.14.2",
|
||||||
|
"immer": "^8.0.1",
|
||||||
|
"ini": "^1.3.6",
|
||||||
"jscpd": "^3.3.21",
|
"jscpd": "^3.3.21",
|
||||||
"jsonlint": "^1.6.3",
|
"jsonlint": "^1.6.3",
|
||||||
|
"lodash": "^4.17.19",
|
||||||
"markdownlint-cli": "^0.26.0",
|
"markdownlint-cli": "^0.26.0",
|
||||||
"npm-groovy-lint": "^8.1.0",
|
"node-fetch": "^2.6.1",
|
||||||
|
"npm-groovy-lint": "^4.14.0",
|
||||||
"prettier": "^2.2.1",
|
"prettier": "^2.2.1",
|
||||||
"prettyjson": "^1.2.1",
|
"prettyjson": "^1.2.1",
|
||||||
"sql-lint": "0.0.15",
|
"sql-lint": "0.0.15",
|
||||||
|
|
Loading…
Reference in a new issue