diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 87b87f350..bc24d5b10 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -32,16 +32,12 @@ jobs: OPENC3_TAG: ${{ github.sha }} - name: Run Trivy on image ruby if: ${{ !cancelled() && steps.build.outcome == 'success' }} + # See https://github.com/aquasecurity/trivy-action uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-ruby.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 @@ -53,13 +49,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-node.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml # On a subsequent call to the action we know trivy is already installed so can skip this skip-setup-trivy: true - name: Upload Trivy scan results @@ -73,13 +64,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-base.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -92,13 +78,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-init.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -111,13 +92,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-redis.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -130,13 +106,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-minio.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -149,13 +120,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-operator.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -168,13 +134,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-cmd-tlm-api.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -187,13 +148,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-script-runner-api.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -206,13 +162,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-traefik.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} diff --git a/openc3-ruby/Dockerfile b/openc3-ruby/Dockerfile index 762d5368a..c914c7c28 100644 --- a/openc3-ruby/Dockerfile +++ b/openc3-ruby/Dockerfile @@ -79,7 +79,8 @@ RUN apk update \ && python3 -m venv /openc3/venv \ && source /openc3/venv/bin/activate \ && pip3 config --global set global.index $PYPI_URL/pypi \ - && pip3 config --global set global.index-url $PYPI_URL/simple + && pip3 config --global set global.index-url $PYPI_URL/simple \ + && pip3 install --upgrade pip setuptools # Set user and group ENV IMAGE_USER=openc3 diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 000000000..b588fa36a --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,18 @@ +# See https://trivy.dev/latest/docs/references/configuration/config-file/ +format: "sarif" +exit-code: 1 +vulnerability: + ignore-unfixed: true + # See https://trivy.dev/latest/docs/supply-chain/vex/repo/ + vex: + - repo +pkg: + types: + - os + - library +scan: + scanners: + - vuln +severity: + - CRITICAL + - HIGH