[CI] Add Trivy workflow #16840
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # This workflow performs a trivy check of docker config files. | ||
|
|
||
| name: Trivy | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths: | ||
| - 'devops/containers/**' | ||
| - 'devops/.trivyignore.yaml' | ||
| - '.github/workflows/trivy.yml' | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Trivy | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| sparse-checkout: devops | ||
|
|
||
| # There is a github action, but for some reason it ignores ignore-file. | ||
| - name: Install Trivy | ||
| run: | | ||
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh | ||
| ./bin/trivy --version | ||
|
|
||
| - name: Run Trivy vulnerability scanner | ||
| run: ./bin/trivy config --format json --output trivy-report.json --ignorefile=devops/.trivyignore.yaml devops/containers --exit-code 1 | ||
|
|
||
| - name: Upload report artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: trivy-report | ||
| path: trivy-report.json | ||
| retention-days: 3 | ||
|
There was a problem hiding this comment. Since this check takes like ~10s, I think 3 days is even too much :) you can just re-run it if needed. Anyway, what it should be in your opinion? There was a problem hiding this comment. i guess it depends on how do we expect the results to be used? is it just checking it when the workflow fails and not really after that? if so this is fine There was a problem hiding this comment.
The main use case is to upload them as an evidence of the scan. @KornevNikita, is it correct to assume that any new issue will fail this workflow? If so, then 3 days is more than enough to grab results which are expected to be always good. There was a problem hiding this comment. It's good that Nick asked, turned out we need to set "exit-code" arg to get a non-zero result in case of fail - updated 0fdba39 There was a problem hiding this comment. I bet he found it out a day or two ago when hunting zombies :D |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| misconfigurations: | ||
| - id: AVD-DS-0001 | ||
KornevNikita marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| statement: "We use our own containers, no uncontrolled behavior is expected when the image is updated" | ||
| - id: AVD-DS-0026 | ||
| statement: "Our containers do not provide running services, but only preinstalled tools, there is not much value in adding HEALTHCHECK directives" | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aelovikov-intel might have an opinon here :P
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should add the files from this PR too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aelovikov-intel could you please clarify what do you mean? Just trigger on every PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes to this workflow and this trivy configuration should trigger CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, got it 28a701e