From 786e7056dea1d134d51feed5e6acf067038179a4 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Sat, 17 Apr 2021 14:50:23 -0700 Subject: [PATCH] Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found --- .github/workflows/trivy.yml | 85 ++++++++++++++++++------------------- Dockerfile | 3 +- 2 files changed, 44 insertions(+), 44 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 8ea54f6f..95998957 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,47 +1,46 @@ # Disabling trivy scans while they get troubleshooting for failures -# --- -# name: Container Security Scan with Trivy -# on: -# push: -# branches: -# - master -# pull_request: -# jobs: -# scan-container: -# name: Build -# runs-on: ubuntu-18.04 -# steps: -# ###################### -# # Checkout code base # -# ###################### -# - name: Checkout code -# uses: actions/checkout@v2 +--- +name: Container Security Scan with Trivy +on: + push: + branches: + - master + pull_request: +jobs: + scan-container: + name: Build + runs-on: ubuntu-18.04 + steps: + ###################### + # Checkout code base # + ###################### + - name: Checkout code + uses: actions/checkout@v2 -# # ########################## -# # # Build the docker image # -# # ########################## -# # - name: Build an image from Dockerfile -# # run: | -# # docker build -t docker.io/github/super-linter:${{ github.sha }} . + # ########################## + # # Build the docker image # + # ########################## + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/github/super-linter:${{ github.sha }} . -# ################################# -# # Run Trivy Scan of source code # -# ################################# -# - name: Trivy Scan -# uses: aquasecurity/trivy-action@master -# with: -# scan-type: 'fs' -# format: 'template' -# exit-code: '1' -# template: '@/contrib/sarif.tpl' -# output: 'report.sarif' -# severity: 'HIGH,CRITICAL' + ################################# + # Run Trivy Scan of source code # + ################################# + - name: Trivy Scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'report.sarif' + severity: 'HIGH,CRITICAL' -# ################################# -# # Upload report to security tab # -# ################################# -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v1 -# if: always() -# with: -# sarif_file: 'report.sarif' + ################################# + # Upload report to security tab # + ################################# + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + if: always() + with: + sarif_file: 'report.sarif' diff --git a/Dockerfile b/Dockerfile index a5d74462..ab411b2b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -150,7 +150,8 @@ RUN pipenv install --clear --system #################### RUN npm config set package-lock false \ && npm config set loglevel error \ - && npm --no-cache install + && npm --no-cache install \ + && npm audit fix ############################# # Add node packages to path #