Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve trivy checks #1790

Merged
merged 4 commits into from
Dec 20, 2024
Merged

Improve trivy checks #1790

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
15bb179
Improve trivy checks
jmthomas Dec 20, 2024
3ada8f3
Add trivy config file
jmthomas Dec 20, 2024
8a34327
Upgrade vite to 6.0.5
jmthomas Dec 20, 2024
41150e0
Merge branch 'upgrade_vite' into trivy
jmthomas Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 11 additions & 60 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,12 @@ jobs:
OPENC3_TAG: ${{ github.sha }}
- name: Run Trivy on image ruby
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# See https://github.com/aquasecurity/trivy-action
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-ruby.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: github/codeql-action/upload-sarif@v3
Expand All @@ -53,13 +49,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-node.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true
- name: Upload Trivy scan results
Expand All @@ -73,13 +64,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-base.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -92,13 +78,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-init.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -111,13 +92,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-redis.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -130,13 +106,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-minio.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -149,13 +120,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-operator.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -168,13 +134,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-cmd-tlm-api.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -187,13 +148,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-script-runner-api.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand All @@ -206,13 +162,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}"
format: "sarif"
exit-code: 1
output: "trivy-traefik.sarif"
ignore-unfixed: true
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
trivy-config: trivy.yaml
skip-setup-trivy: true
- name: Upload Trivy scan results
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
Expand Down
3 changes: 2 additions & 1 deletion openc3-ruby/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,8 @@ RUN apk update \
&& python3 -m venv /openc3/venv \
&& source /openc3/venv/bin/activate \
&& pip3 config --global set global.index $PYPI_URL/pypi \
&& pip3 config --global set global.index-url $PYPI_URL/simple
&& pip3 config --global set global.index-url $PYPI_URL/simple \
&& pip3 install --upgrade pip setuptools
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This addresses a few CVEs in the setuptools


# Set user and group
ENV IMAGE_USER=openc3
Expand Down
18 changes: 18 additions & 0 deletions trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# See https://trivy.dev/latest/docs/references/configuration/config-file/
format: "sarif"
exit-code: 1
vulnerability:
ignore-unfixed: true
# See https://trivy.dev/latest/docs/supply-chain/vex/repo/
vex:
- repo
pkg:
types:
- os
- library
scan:
scanners:
- vuln
severity:
- CRITICAL
- HIGH
Loading