Post Release OpenC3 Trivy Scan #33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow uses actions that are not certified by GitHub. | |
# They are provided by a third-party and are governed by | |
# separate terms of service, privacy policy, and support | |
# documentation. | |
name: Post Release OpenC3 Trivy Scan | |
# Only run on a push to master to avoid running for all the dependabot PRs | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: "Release version" | |
required: true | |
type: string | |
# Workaround for https://github.com/aquasecurity/trivy-action/issues/389 | |
env: | |
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 | |
jobs: | |
openc3-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Create trivy output folder | |
run: mkdir trivy_results | |
- name: Create sbom folder | |
run: mkdir sbom | |
- name: Get current date | |
id: date | |
run: echo "::set-output name=date::$(date -u '+%m_%d_%y_%H_%M_%S')" | |
- name: Run Trivy on image ruby | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-ruby.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image ruby in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-ruby.sbom.json" | |
- name: Run Trivy on image node | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-node:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-node.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image node in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-node:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-node.sbom.json" | |
- name: Run Trivy on image base | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-base:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-base.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image base in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-base:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-base.sbom.json" | |
- name: Run Trivy on image cosmos-init | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-cosmos-init.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image cosmos-init in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-cosmos-init.sbom.json" | |
- name: Run Trivy on image redis | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-redis:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-redis.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image redis in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-redis:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-redis.sbom.json" | |
- name: Run Trivy on image minio | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-minio:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-minio.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image minio in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-minio:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-minio.sbom.json" | |
- name: Run Trivy on image operator | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-operator:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-operator.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image operator in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-operator:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-operator.sbom.json" | |
- name: Run Trivy on image cmd-tlm-api | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-cosmos-cmd-tlm-api.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image cosmos-cmd-tlm-api in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-cosmos-cmd-tlm-api.sbom.json" | |
- name: Run Trivy on image script-runner-api | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-cosmos-script-runner-api.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image cosmos-script-runner-api in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-cosmos-script-runner-api.sbom.json" | |
- name: Run Trivy on image traefik | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.event.inputs.version }}" | |
format: "json" | |
output: "trivy_results/openc3-traefik.json" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
scanners: "vuln" | |
- name: Run Trivy on image traefik in SBOM mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.event.inputs.version }}" | |
format: "cyclonedx" | |
output: "sbom/openc3-traefik.sbom.json" | |
- name: Create zip of trivy results | |
run: zip -r trivy_results.zip trivy_results | |
- name: Create zip of SBOM results | |
run: zip -r sbom.zip sbom | |
- name: Upload release attachments | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const fs = require('fs'); | |
const tag = "v${{ github.event.inputs.version }}" | |
// const tag = context.ref.replace("refs/tags/", ""); | |
console.log("tag = ", tag); | |
// Get release for this tag | |
const release = await github.rest.repos.getReleaseByTag({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
tag | |
}); | |
// Upload the release asset | |
await github.rest.repos.uploadReleaseAsset({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
release_id: release.data.id, | |
name: "${{ steps.date.outputs.date }}_trivy_results_v${{ github.event.inputs.version }}.zip", | |
data: await fs.readFileSync("trivy_results.zip") | |
}); | |
// Upload the release asset | |
await github.rest.repos.uploadReleaseAsset({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
release_id: release.data.id, | |
name: "${{ steps.date.outputs.date }}_sbom_v${{ github.event.inputs.version }}.zip", | |
data: await fs.readFileSync("sbom.zip") | |
}); |