ci: generate SARIF reports

Automattic · Nov 1, 2023 · e4d9413 · e4d9413
1 parent 5a0f487
commit e4d9413
Show file tree

Hide file tree

Showing 13 changed files with 43 additions and 43 deletions.
diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml
@@ -90,20 +90,34 @@ runs:
         build-args: ${{ inputs.args }}
 
     - name: Security Scan
-      uses: aquasecurity/trivy-action@master
+      uses: ./.github/actions/trivy
       with:
-        image-ref: ${{ inputs.primaryTag }}
-        format: template
-        template: "@.github/actions/build-docker-image/markdown.tpl"
-        output: trivy.md
-      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
+        args: image --format json ${{ inputs.primaryTag }} --output trivy.json
 
-    - name: Security Scan
-      uses: aquasecurity/trivy-action@master
+    - name: Print report
+      uses: ./.github/actions/trivy
       with:
-        image-ref: ${{ inputs.primaryTag }}
-        format: table
-      if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+        args: convert --format=table trivy.json
+
+    - name: Generate SARIF
+      uses: ./.github/actions/trivy
+      with:
+        args: convert --format=sarif --output=trivy.sarif trivy.json
+      if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
+
+    - name: Upload SARIF
+      uses: github/codeql-action/[email protected]
+      with:
+        sarif_file: trivy.sarif
+        category: trivy
+      if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
+      continue-on-error: true
+
+    - name: Prepare markdown report
+      uses: ./.github/actions/trivy
+      with:
+        args: convert --format=template [email protected]/actions/build-docker-image/markdown.tpl --output=trivy.md trivy.json
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
 
     - name: Find Trivy Scan Report comment
       uses: peter-evans/find-comment@v2

diff --git a/.github/actions/build-docker-image/markdown.tpl b/.github/actions/build-docker-image/markdown.tpl
@@ -2,7 +2,6 @@
 {{- if . }}
 {{- range . }}
 ## {{ .Target }}
-### Vulnerabilities
 {{- if (eq (len .Vulnerabilities) 0) }}
 No vulnerabilities found.
 {{- else }}
@@ -14,18 +13,6 @@ No vulnerabilities found.
 
 {{- end }} <!-- Vulnerabilities -->
 
-### Misconfigurations
-{{- if (eq (len .Misconfigurations ) 0) }}
-No misconfigurations found.
-{{- else }}
-| Type | Misconfiguration ID | Check | Severity | Message |
-| ---- | ------------------- | ----- | -------- | ------- |
-{{- range .Misconfigurations }}
-| {{ .Type }} | {{ .ID }} | {{ .Title }} | {{ .Severity }} | {{ .Message }}<br>{{ .PrimaryURL }} |
-{{- end }}
-
-{{- end }} <!-- Misconfigurations -->
-
 {{- end }} <!-- Targets -->
 
 {{- else }}

diff --git a/.github/actions/trivy/action.yml b/.github/actions/trivy/action.yml
@@ -0,0 +1,5 @@
+name: Trivy Scan
+description: Scan for vulnerabilities using Trivy
+runs:
+  using: docker
+  image: docker://aquasec/trivy:0.46.1
diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml
@@ -30,6 +30,7 @@ jobs:
       packages: write
       contents: read
       pull-requests: write
+      security-events: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/build-skeleton.yml b/.github/workflows/build-skeleton.yml
@@ -16,29 +16,14 @@ jobs:
     permissions:
       packages: write
       contents: read
+      security-events: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: skeleton
-          file: skeleton/Dockerfile
-          platforms: linux/amd64,linux/arm64
           push: true
-          tags: |
-            ghcr.io/automattic/vip-container-images/skeleton:latest
+          primaryTag: ghcr.io/automattic/vip-container-images/skeleton:latest
diff --git a/.github/workflows/dev-tools.yml b/.github/workflows/dev-tools.yml
@@ -30,6 +30,7 @@ jobs:
       packages: write
       contents: read
       pull-requests: write
+      security-events: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/mu-plugins.yml b/.github/workflows/mu-plugins.yml
@@ -33,6 +33,7 @@ jobs:
       packages: write
       contents: read
       pull-requests: write
+      security-events: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml
@@ -30,6 +30,7 @@ jobs:
       packages: write
       contents: read
       pull-requests: write
+      security-events: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/photon.yml b/.github/workflows/photon.yml
@@ -30,6 +30,7 @@ jobs:
       packages: write
       contents: read
       pull-requests: write
+      security-events: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/php-fpm.yml b/.github/workflows/php-fpm.yml
@@ -30,6 +30,7 @@ jobs:
       packages: write
       contents: read
       pull-requests: write
+      security-events: write
     strategy:
       fail-fast: false
       matrix:

diff --git a/.github/workflows/skeleton.yml b/.github/workflows/skeleton.yml
@@ -30,6 +30,7 @@ jobs:
       packages: write
       contents: read
       pull-requests: write
+      security-events: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/traefik.yml b/.github/workflows/traefik.yml
@@ -30,6 +30,7 @@ jobs:
       packages: write
       contents: read
       pull-requests: write
+      security-events: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/wordpress.yml b/.github/workflows/wordpress.yml
@@ -47,6 +47,7 @@ jobs:
       contents: read
       packages: write
       pull-requests: write
+      security-events: write
     strategy:
       fail-fast: false
       matrix: