From a3de9206279b2b9e5a996ad3d0cfc755258e1edb Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 4 Mar 2025 16:30:44 +0000 Subject: [PATCH 1/2] create dispatch job to report on image vulnerabilities --- .../dispatch_trivy_scan_production.yml | 47 +++++++++++ .github/workflows/docker_scan_and_report.yml | 77 +++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 .github/workflows/dispatch_trivy_scan_production.yml create mode 100644 .github/workflows/docker_scan_and_report.yml diff --git a/.github/workflows/dispatch_trivy_scan_production.yml b/.github/workflows/dispatch_trivy_scan_production.yml new file mode 100644 index 000000000..d1770f4fe --- /dev/null +++ b/.github/workflows/dispatch_trivy_scan_production.yml @@ -0,0 +1,47 @@ +name: "[Job] Scan production containers for vulnerabilities" + +on: + workflow_dispatch: + +defaults: + run: + shell: bash + +permissions: + id-token: write + +jobs: + pull_tags: + runs-on: ubuntu-latest + needs: [ + create_tags, + generate_environment_workspace_name + ] + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4.1.0 + with: + aws-region: us-east-1 + role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ssm-get-parameter + role-duration-seconds: 900 + role-session-name: GithubActionsSSMGetParameter + - name: Pull production tag + id: pull_tag + run: | + key="/modernising-lpa/container-version/production" + value=$(aws ssm get-parameter --name "$key" --query 'Parameter.Value' --output text) + echo "Using $key: $value" + echo "tag=${value}" >> $GITHUB_OUTPUT + echo "env=${key}" >> $GITHUB_OUTPUT + outputs: + docker_tag: ${{ steps.pull_tag.outputs.tag }} + tag_from: ${{ steps.pull_tag.outputs.env }} + scan_and_report: + needs: [ + pull_tags + ] + steps: + - name: Docker Scan and Report + uses: ./.github/workflows/docker_scan_and_report.yml + with: + tag: ${{ needs.pull_tags.outputs.docker_tag}} diff --git a/.github/workflows/docker_scan_and_report.yml b/.github/workflows/docker_scan_and_report.yml new file mode 100644 index 000000000..4e5130f1f --- /dev/null +++ b/.github/workflows/docker_scan_and_report.yml @@ -0,0 +1,77 @@ +name: "[Job] Scan and Report Docker Images" + +on: + workflow_call: + inputs: + tag: + description: 'Tag for docker image' + required: true + type: string + +defaults: + run: + shell: bash + +permissions: + id-token: write + +jobs: + docker_build_scan_push: + strategy: + fail-fast: false + matrix: + include: + - ecr_repository: modernising-lpa/app + name: app + path: ./docker/mlpa/Dockerfile + trivyignores: ./docker/mlpa/.trivyignore.yaml + platforms: linux/amd64 + - ecr_repository: modernising-lpa/create-s3-batch-replication-job + name: create-s3-batch-replication-job + path: ./docker/create-s3-replication-job/Dockerfile + trivyignores: ./docker/create-s3-replication-job/.trivyignore.yaml + platforms: linux/amd64 + - ecr_repository: modernising-lpa/event-received + name: event-received + path: ./docker/event-received/Dockerfile + trivyignores: ./docker/event-received/.trivyignore.yaml + platforms: linux/amd64 + - ecr_repository: modernising-lpa/schedule-runner + name: schedule-runner + path: ./docker/schedule-runner/Dockerfile + trivyignores: ./docker/schedule-runner/.trivyignore.yaml + platforms: linux/amd64 + + runs-on: ubuntu-latest + name: ${{ matrix.ecr_repository }} + steps: + - name: Run Against Image/Configure AWS Credentials + if: inputs.run_against_image + uses: aws-actions/configure-aws-credentials@v4.1.0 + with: + aws-region: eu-west-1 + role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ecr-pull + role-duration-seconds: 900 + role-session-name: GithubActionsECRPullMLPAB + - name: ECR Login + id: login_ecr + uses: aws-actions/amazon-ecr-login@v2.0.1 + with: + mask-password: true + registries: 311462405659 + + - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }} + id: trivy_scan + uses: aquasecurity/trivy-action@0.29.0 + env: + TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1 + TRIVY_IGNOREFILE: ${{ matrix.trivyignores }} + with: + scan-type: 'image' + scanners: 'vuln' + image-ref: ${{ matrix.ecr_repository }}:${{ inputs.tag }} + severity: 'HIGH,CRITICAL' + format: 'sarif' + output: 'trivy-results.sarif' + exit-code: 0 From 9f7f976e1a6306dc574cf0b203def14adfc440af Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 4 Mar 2025 17:55:55 +0000 Subject: [PATCH 2/2] publish to summary --- .github/workflows/docker_scan_and_report.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker_scan_and_report.yml b/.github/workflows/docker_scan_and_report.yml index 4e5130f1f..0c11aa767 100644 --- a/.github/workflows/docker_scan_and_report.yml +++ b/.github/workflows/docker_scan_and_report.yml @@ -72,6 +72,19 @@ jobs: scanners: 'vuln' image-ref: ${{ matrix.ecr_repository }}:${{ inputs.tag }} severity: 'HIGH,CRITICAL' - format: 'sarif' - output: 'trivy-results.sarif' + format: 'table' + output: 'trivy-results.txt' exit-code: 0 + - name: Publish Trivy Output to Summary + run: | + if [[ -s trivy-results.txt ]]; then + { + echo "### Security Output" + echo "
Click to expand" + echo "" + echo '```text' + cat trivy-results.txt + echo '```' + echo "
" + } >> $GITHUB_STEP_SUMMARY + fi