mirror of
https://github.com/super-linter/super-linter.git
synced 2024-11-14 04:49:27 -05:00
chore(ci/trivy): replace script with action (#1355)
* chore: replace script with action * delete trivy script * more Co-authored-by: Admiral Awkbar <admiralawkbar@github.com>
This commit is contained in:
parent
5f88bc67ef
commit
d1c8432796
3 changed files with 18 additions and 119 deletions
7
.automation/test/go/reports/expected-GO-5.tap
Normal file
7
.automation/test/go/reports/expected-GO-5.tap
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
TAP version 13
|
||||||
|
1..2
|
||||||
|
not ok 1 - golang_bad_01.go
|
||||||
|
---
|
||||||
|
message: level=warningg="[runner] The linter 'maligned' is deprecated due to The repository of the linter has been archived by the owner. Use govet 'fieldalignment' instead."\nlevel=warningg="[runner] Can't run linter goanalysis_metalinter failed prerequisites [(buildir@command-line-arguments, inspect@command-line-arguments, isgenerated@command-line-arguments) analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']]"\nlevel=warningg="[runner] Can't run linter unused buildir analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']"\nlevel=errorg="Running error buildir analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']"\n
|
||||||
|
...
|
||||||
|
ok 2 - golang_good_01.go
|
|
@ -1,105 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
############# Trivy Security Scan @admiralawkbar ###############################
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
###########
|
|
||||||
# Globals #
|
|
||||||
###########
|
|
||||||
GITHUB_WORKSPACE="${GITHUB_WORKSPACE}" # GitHub Workspace
|
|
||||||
REPORT_NAME='report.sarif' # Name of the generated report
|
|
||||||
TEMPLATE_NAME='sarif.tpl' # Name of the template file
|
|
||||||
ERRORS_FOUND=0 # Flag for errors founsd in scan
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
############################ FUNCTIONS BELOW ###################################
|
|
||||||
################################################################################ß
|
|
||||||
################################################################################
|
|
||||||
#### Function Header ###########################################################
|
|
||||||
Header() {
|
|
||||||
echo ""
|
|
||||||
echo "-------------------------------------------------------"
|
|
||||||
echo "--------- Trivy Security Scan on Super-Linter ---------"
|
|
||||||
echo "-------------------------------------------------------"
|
|
||||||
}
|
|
||||||
################################################################################
|
|
||||||
#### Function RunScan ##########################################################
|
|
||||||
RunScan() {
|
|
||||||
###########################
|
|
||||||
# Run the Trivy code scan #
|
|
||||||
###########################
|
|
||||||
echo ""
|
|
||||||
echo "-------------------------------------------------------"
|
|
||||||
echo "Running scan on local code base..."
|
|
||||||
echo "Running command:[\"${GITHUB_WORKSPACE}/trivy\" fs --format template --template @\"${GITHUB_WORKSPACE}/${TEMPLATE_NAME}\" -o \"${REPORT_NAME}\" --severity HIGH,CRITICAL --exit-code 1 \"${GITHUB_WORKSPACE}\" 2>&1]"
|
|
||||||
RUN_CMD=$("${GITHUB_WORKSPACE}/trivy" fs --format template --template @"${GITHUB_WORKSPACE}/${TEMPLATE_NAME}" -o "${REPORT_NAME}" --severity HIGH,CRITICAL --exit-code 1 "${GITHUB_WORKSPACE}" 2>&1)
|
|
||||||
|
|
||||||
#######################
|
|
||||||
# Load the error code #
|
|
||||||
#######################
|
|
||||||
ERROR_CODE=$?
|
|
||||||
|
|
||||||
##############################
|
|
||||||
# Check the shell for errors #
|
|
||||||
##############################
|
|
||||||
if [ $ERROR_CODE -ne 0 ]; then
|
|
||||||
# Erro
|
|
||||||
echo "-------------------------------------------------------"r
|
|
||||||
echo "ERRORS detected in scan!"
|
|
||||||
echo "[${RUN_CMD}]"
|
|
||||||
# bump the count
|
|
||||||
ERRORS_FOUND=1
|
|
||||||
else
|
|
||||||
# Success
|
|
||||||
echo "-------------------------------------------------------"
|
|
||||||
echo "Successfully scanned codebase!"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
################################################################################
|
|
||||||
#### Function OutputReport #####################################################
|
|
||||||
OutputReport() {
|
|
||||||
########################################
|
|
||||||
# Output the report that was generated #
|
|
||||||
########################################
|
|
||||||
echo ""
|
|
||||||
echo "-------- [${REPORT_NAME}] Results: --------"
|
|
||||||
"${GITHUB_WORKSPACE}/trivy" fs "${GITHUB_WORKSPACE}" 2>&1
|
|
||||||
echo "-----------------------------------------"
|
|
||||||
}
|
|
||||||
################################################################################
|
|
||||||
#### Function Footer ###########################################################
|
|
||||||
Footer() {
|
|
||||||
echo ""
|
|
||||||
echo "-------------------------------------------------------"
|
|
||||||
echo "The step has completed with error code:[${ERRORS_FOUND}]"
|
|
||||||
echo "-------------------------------------------------------"
|
|
||||||
|
|
||||||
########################
|
|
||||||
# Exit with error code #
|
|
||||||
########################
|
|
||||||
exit "${ERRORS_FOUND}"
|
|
||||||
}
|
|
||||||
################################################################################
|
|
||||||
################################## MAIN ########################################
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
##########
|
|
||||||
# Header #
|
|
||||||
##########
|
|
||||||
Header
|
|
||||||
|
|
||||||
################
|
|
||||||
# Run the scan #
|
|
||||||
################
|
|
||||||
RunScan
|
|
||||||
|
|
||||||
#################
|
|
||||||
# Output Report #
|
|
||||||
#################
|
|
||||||
OutputReport
|
|
||||||
|
|
||||||
##########
|
|
||||||
# Footer #
|
|
||||||
##########
|
|
||||||
Footer
|
|
25
.github/workflows/trivy.yml
vendored
25
.github/workflows/trivy.yml
vendored
|
@ -23,25 +23,22 @@ jobs:
|
||||||
# run: |
|
# run: |
|
||||||
# docker build -t docker.io/github/super-linter:${{ github.sha }} .
|
# docker build -t docker.io/github/super-linter:${{ github.sha }} .
|
||||||
|
|
||||||
###########################################
|
|
||||||
# Download and install Trivy and template #
|
|
||||||
###########################################
|
|
||||||
- name: Download and Install Trivy
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ${GITHUB_WORKSPACE}
|
|
||||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl
|
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# Run Trivy Scan of source code #
|
# Run Trivy Scan of source code #
|
||||||
#################################
|
#################################
|
||||||
- name: Trivy Scan
|
- name: Trivy Scan
|
||||||
shell: bash
|
uses: aquasecurity/trivy-action@master
|
||||||
run: ./.automation/trivy-security-scan.sh
|
with:
|
||||||
|
scan-type: 'fs'
|
||||||
|
format: 'template'
|
||||||
|
exit-code: '1'
|
||||||
|
template: '@/contrib/sarif.tpl'
|
||||||
|
output: 'report.sarif'
|
||||||
|
severity: 'HIGH,CRITICAL'
|
||||||
|
|
||||||
################################
|
#################################
|
||||||
# Upload report to secrity tab #
|
# Upload report to security tab #
|
||||||
################################
|
#################################
|
||||||
- name: Upload Trivy scan results to GitHub Security tab
|
- name: Upload Trivy scan results to GitHub Security tab
|
||||||
uses: github/codeql-action/upload-sarif@v1
|
uses: github/codeql-action/upload-sarif@v1
|
||||||
if: always()
|
if: always()
|
||||||
|
|
Loading…
Reference in a new issue