Merge pull request #1790 from OpenC3/trivy

Improve trivy checks
OpenC3 · Dec 20, 2024 · 91f43eb · 91f43eb
2 parents 2685dc8 + 41150e0
commit 91f43eb
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 61 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -32,16 +32,12 @@ jobs:
           OPENC3_TAG: ${{ github.sha }}
       - name: Run Trivy on image ruby
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
+        # See https://github.com/aquasecurity/trivy-action
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-ruby.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
         uses: github/codeql-action/upload-sarif@v3
@@ -53,13 +49,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-node.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           # On a subsequent call to the action we know trivy is already installed so can skip this
           skip-setup-trivy: true
       - name: Upload Trivy scan results
@@ -73,13 +64,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-base.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           skip-setup-trivy: true
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
@@ -92,13 +78,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-init.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           skip-setup-trivy: true
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
@@ -111,13 +92,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-redis.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           skip-setup-trivy: true
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
@@ -130,13 +106,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-minio.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           skip-setup-trivy: true
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
@@ -149,13 +120,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-operator.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           skip-setup-trivy: true
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
@@ -168,13 +134,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-cmd-tlm-api.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           skip-setup-trivy: true
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
@@ -187,13 +148,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-script-runner-api.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           skip-setup-trivy: true
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}
@@ -206,13 +162,8 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}"
-          format: "sarif"
-          exit-code: 1
           output: "trivy-traefik.sarif"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          scanners: "vuln"
-          severity: "CRITICAL,HIGH"
+          trivy-config: trivy.yaml
           skip-setup-trivy: true
       - name: Upload Trivy scan results
         if: ${{ !cancelled() && steps.build.outcome == 'success' }}

diff --git a/openc3-ruby/Dockerfile b/openc3-ruby/Dockerfile
@@ -79,7 +79,8 @@ RUN apk update \
   && python3 -m venv /openc3/venv \
   && source /openc3/venv/bin/activate \
   && pip3 config --global set global.index $PYPI_URL/pypi \
-  && pip3 config --global set global.index-url $PYPI_URL/simple
+  && pip3 config --global set global.index-url $PYPI_URL/simple \
+  && pip3 install --upgrade pip setuptools
 
 # Set user and group
 ENV IMAGE_USER=openc3

diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1,18 @@
+# See https://trivy.dev/latest/docs/references/configuration/config-file/
+format: "sarif"
+exit-code: 1
+vulnerability:
+  ignore-unfixed: true
+  # See https://trivy.dev/latest/docs/supply-chain/vex/repo/
+  vex:
+    - repo
+pkg:
+  types:
+    - os
+    - library
+scan:
+  scanners:
+    - vuln
+severity:
+  - CRITICAL
+  - HIGH