Scan docker images #73
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan docker images | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' # Every day at midnight | |
| workflow_dispatch: | |
| inputs: | |
| image: | |
| type: choice | |
| description: Image/s to scan | |
| # This is a bit annoying, there's no real way to display the integrations dynamically in a dropdown for the action dispatcher | |
| options: | |
| - all | |
| - argocd | |
| - aws | |
| - azure | |
| - azure-devops | |
| - backstage | |
| - datadog | |
| - dynatrace | |
| - fake-integration | |
| - firehydrant | |
| - gcp | |
| - gitlab | |
| - jenkins | |
| - jira | |
| - kafka | |
| - kubecost | |
| - launchdarkly | |
| - linear | |
| - newrelic | |
| - octopus | |
| - opencost | |
| - opsgenie | |
| - pagerduty | |
| - sentry | |
| - servicenow | |
| - snyk | |
| - sonarqube | |
| - statuspage | |
| - terraform-cloud | |
| - wiz | |
| jobs: | |
| detect-images: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| images: ${{ steps.set-images.outputs.images }} | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| - name: Determine which image to scan | |
| id: set-images | |
| run: | | |
| PROJECTS=$(ls --color=never ./integrations | grep -Ev '_infra') | |
| if [[ "${{ inputs.image }}" != "all" && "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| PROJECTS="${{ inputs.image }}" | |
| fi | |
| IMAGES_WITH_VERSIONS=() | |
| for PROJECT in ${PROJECTS}; do | |
| if [[ ! -f ./integrations/"${PROJECT}"/pyproject.toml ]]; then | |
| continue | |
| fi | |
| VERSION=$(cat ./integrations/"${PROJECT}"/pyproject.toml | grep -E '^version = "(.*)"$' | awk -F ' ' '{print $3};' | sed 's/"//g') | |
| if [[ -n ${VERSION} ]]; then | |
| IMAGES_WITH_VERSIONS+=( "${PROJECT}:${VERSION}" ) | |
| fi | |
| done | |
| IMAGES=$(echo "${IMAGES_WITH_VERSIONS[@]}" | jq -R -s -c 'split(" ") | map(select(length > 0))') | |
| echo "Images to scan: ${IMAGES}" | |
| echo "images=${IMAGES}" >> $GITHUB_OUTPUT | |
| scan-images: | |
| needs: detect-images | |
| runs-on: ubuntu-latest | |
| strategy: | |
| max-parallel: 2 | |
| matrix: | |
| image: ${{ fromJson(needs.detect-images.outputs.images) }} | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| - name: Extract version and image tag | |
| id: enrich-version | |
| run: | | |
| INTEGRATION=$(echo "${{ matrix.image }}" | awk -F ':' '{print $1};') | |
| VERSION=$(echo "${{ matrix.image }}" | awk -F ':' '{print $2};') | |
| IDENTIFIER="${INTEGRATION}-${VERSION}-${{ github.sha }}" | |
| IMAGE_FULL_TAG="port-ocean-security-tests-${INTEGRATION}:${VERSON}${{ github.sha }}" | |
| echo "integration=${INTEGRATION}" >> ${GITHUB_OUTPUT} | |
| echo "version=${VERSION}" >> ${GITHUB_OUTPUT} | |
| echo "identifier=${IDENTIFIER}" >> ${GITHUB_OUTPUT} | |
| echo "image_tag=${IMAGE_FULL_TAG}" >> ${GITHUB_OUTPUT} | |
| - name: Build Docker Image | |
| uses: ./.github/workflows/actions/build-docker-image | |
| with: | |
| dockerfile: ./integrations/_infra/Dockerfile | |
| platforms: linux/amd64 | |
| skip-push: 'true' | |
| tags: ${{ steps.enrich-version.outputs.image_tag }} | |
| load-created-image: 'true' | |
| docker-user: ${{ secrets.DOCKER_MACHINE_USER }} | |
| docker-password: ${{ secrets.DOCKER_MACHINE_TOKEN }} | |
| build-args: | | |
| BUILD_CONTEXT=./integrations/${{ steps.enrich-version.outputs.integration }} | |
| INTEGRATION_VERSION=${{ steps.enrich-version.outputs.version }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.29.0 | |
| with: | |
| image-ref: ${{ steps.enrich-version.outputs.image_tag }} | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| output: trivy-${{ steps.enrich-version.outputs.integration }}.txt | |
| - name: Publish Trivy Output to Summary | |
| run: | | |
| if [[ -s trivy-${{ steps.enrich-version.outputs.integration }}.txt ]]; then | |
| { | |
| echo "### Security Output" | |
| echo "<details><summary>Click to expand</summary>" | |
| echo "" | |
| echo '```terraform' | |
| cat trivy-${{ steps.enrich-version.outputs.integration }}.txt | |
| echo '```' | |
| echo "</details>" | |
| } >> $GITHUB_STEP_SUMMARY | |
| fi | |
| - name: Set output for trivy results | |
| run: | | |
| echo "VULNERABILITIES_COUNT=$(cat trivy-${{ steps.enrich-version.outputs.integration }}.txt | grep -i "total:" | awk '{print $2}')" >> $GITHUB_ENV | |
| echo ${{ env.VULNERABILITIES_COUNT }} | |
| - name: Send slack alert if vulnerabilities found | |
| if: ${{ env.VULNERABILITIES_COUNT != '0' }} | |
| uses: slackapi/slack-github-action@v2.0.0 | |
| with: | |
| webhook-type: incoming-webhook | |
| payload: | | |
| { | |
| "text": "Vulnerabilities found in `${{ steps.enrich-version.outputs.integration }}` image", | |
| "attachments": [ | |
| { | |
| "text": "${{ steps.enrich-version.outputs.integration }} image has vulnerabilities", | |
| "fields": [ | |
| { | |
| "title": "Image", | |
| "value": "${{ steps.enrich-version.outputs.image_tag }}", | |
| "short": true | |
| }, | |
| { | |
| "title": "Vulnerabilities", | |
| "value": "Count: ${{ env.VULNERABILITIES_COUNT }}", | |
| "short": true | |
| }, | |
| { | |
| "title": "link", | |
| "value": "https://github.com/port-labs/ocean/actions/runs/${{ github.run_id }}", | |
| "short": true | |
| } | |
| ], | |
| "color": "#FF0000" | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_RND_ECOSYSTEM_DEPENDABOT_ALERTS_WEBHOOK_URL }} |