chore(ci/trivy): replace script with action (#1355)

* chore: replace script with action

* delete trivy script

* more

Co-authored-by: Admiral Awkbar <admiralawkbar@github.com>
This commit is contained in:
Teppei Fukuda 2021-03-11 17:15:07 +02:00 committed by GitHub
parent 5f88bc67ef
commit d1c8432796
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 119 deletions

View file

@ -0,0 +1,7 @@
TAP version 13
1..2
not ok 1 - golang_bad_01.go
---
message: level=warningg="[runner] The linter 'maligned' is deprecated due to The repository of the linter has been archived by the owner. Use govet 'fieldalignment' instead."\nlevel=warningg="[runner] Can't run linter goanalysis_metalinter failed prerequisites [(buildir@command-line-arguments, inspect@command-line-arguments, isgenerated@command-line-arguments) analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']]"\nlevel=warningg="[runner] Can't run linter unused buildir analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']"\nlevel=errorg="Running error buildir analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']"\n
...
ok 2 - golang_good_01.go

View file

@ -1,105 +0,0 @@
#!/usr/bin/env bash
################################################################################
############# Trivy Security Scan @admiralawkbar ###############################
################################################################################
###########
# Globals #
###########
GITHUB_WORKSPACE="${GITHUB_WORKSPACE}" # GitHub Workspace
REPORT_NAME='report.sarif' # Name of the generated report
TEMPLATE_NAME='sarif.tpl' # Name of the template file
ERRORS_FOUND=0 # Flag for errors founsd in scan
################################################################################
############################ FUNCTIONS BELOW ###################################
################################################################################ß
################################################################################
#### Function Header ###########################################################
Header() {
echo ""
echo "-------------------------------------------------------"
echo "--------- Trivy Security Scan on Super-Linter ---------"
echo "-------------------------------------------------------"
}
################################################################################
#### Function RunScan ##########################################################
RunScan() {
###########################
# Run the Trivy code scan #
###########################
echo ""
echo "-------------------------------------------------------"
echo "Running scan on local code base..."
echo "Running command:[\"${GITHUB_WORKSPACE}/trivy\" fs --format template --template @\"${GITHUB_WORKSPACE}/${TEMPLATE_NAME}\" -o \"${REPORT_NAME}\" --severity HIGH,CRITICAL --exit-code 1 \"${GITHUB_WORKSPACE}\" 2>&1]"
RUN_CMD=$("${GITHUB_WORKSPACE}/trivy" fs --format template --template @"${GITHUB_WORKSPACE}/${TEMPLATE_NAME}" -o "${REPORT_NAME}" --severity HIGH,CRITICAL --exit-code 1 "${GITHUB_WORKSPACE}" 2>&1)
#######################
# Load the error code #
#######################
ERROR_CODE=$?
##############################
# Check the shell for errors #
##############################
if [ $ERROR_CODE -ne 0 ]; then
# Erro
echo "-------------------------------------------------------"r
echo "ERRORS detected in scan!"
echo "[${RUN_CMD}]"
# bump the count
ERRORS_FOUND=1
else
# Success
echo "-------------------------------------------------------"
echo "Successfully scanned codebase!"
fi
}
################################################################################
#### Function OutputReport #####################################################
OutputReport() {
########################################
# Output the report that was generated #
########################################
echo ""
echo "-------- [${REPORT_NAME}] Results: --------"
"${GITHUB_WORKSPACE}/trivy" fs "${GITHUB_WORKSPACE}" 2>&1
echo "-----------------------------------------"
}
################################################################################
#### Function Footer ###########################################################
Footer() {
echo ""
echo "-------------------------------------------------------"
echo "The step has completed with error code:[${ERRORS_FOUND}]"
echo "-------------------------------------------------------"
########################
# Exit with error code #
########################
exit "${ERRORS_FOUND}"
}
################################################################################
################################## MAIN ########################################
################################################################################
##########
# Header #
##########
Header
################
# Run the scan #
################
RunScan
#################
# Output Report #
#################
OutputReport
##########
# Footer #
##########
Footer

View file

@ -23,25 +23,22 @@ jobs:
# run: | # run: |
# docker build -t docker.io/github/super-linter:${{ github.sha }} . # docker build -t docker.io/github/super-linter:${{ github.sha }} .
###########################################
# Download and install Trivy and template #
###########################################
- name: Download and Install Trivy
shell: bash
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ${GITHUB_WORKSPACE}
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl
################################# #################################
# Run Trivy Scan of source code # # Run Trivy Scan of source code #
################################# #################################
- name: Trivy Scan - name: Trivy Scan
shell: bash uses: aquasecurity/trivy-action@master
run: ./.automation/trivy-security-scan.sh with:
scan-type: 'fs'
format: 'template'
exit-code: '1'
template: '@/contrib/sarif.tpl'
output: 'report.sarif'
severity: 'HIGH,CRITICAL'
################################ #################################
# Upload report to secrity tab # # Upload report to security tab #
################################ #################################
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1 uses: github/codeql-action/upload-sarif@v1
if: always() if: always()