diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 2ead7b4d..6e282416 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -32,7 +32,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0 - trivy-scanning: runs-on: ubuntu-latest @@ -48,17 +47,20 @@ jobs: file: ./Dockerfile platforms: linux/amd64 push: false - tags: | - checkmarx/2ms:scanme + tags: checkmarx/2ms:scanme + + - name: Run Trivy Scan + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 + with: + image-ref: checkmarx/2ms:scanme + vuln-type: os,library + format: table + ignore-unfixed: true + severity: CRITICAL,HIGH,MEDIUM,LOW + trivy-config: trivy.yaml + exit-code: '1' + - - name: Install trivy and Run it - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update && sudo apt-get install -y trivy - trivy image checkmarx/2ms:scanme --exit-code 1 \ - --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM,LOW --vex ./ignore.openvex - secret-scanning: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/update-trivy-cron.yml b/.github/workflows/update-trivy-cron.yml new file mode 100644 index 00000000..3c41bab1 --- /dev/null +++ b/.github/workflows/update-trivy-cron.yml @@ -0,0 +1,37 @@ +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Setup oras + uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.2.1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.2.1 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index cb3d2692..885b7180 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ COPY . . RUN GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -a -o /app/2ms . # Runtime image -FROM cgr.dev/chainguard/git@sha256:0663e8c8a5c6fcad6cc2c08e7668d7b46f7aee025a923cee19f69475e187752a +FROM cgr.dev/chainguard/git@sha256:91f984bed3cef8b6b9bdefb8e4ae2c9ec2c28564b237c2a0e432549c105ceb16 WORKDIR /app diff --git a/plugins/git.go b/plugins/git.go index 4adfb222..62b16e79 100644 --- a/plugins/git.go +++ b/plugins/git.go @@ -73,6 +73,12 @@ func (p *GitPlugin) scanGit(path string, scanOptions string, itemsChan chan ISou defer close() for file := range diffs { + if file.PatchHeader == nil { + // While parsing the PatchHeader, the token size limit may be exceeded, resulting in a nil value. + // This scenario is unlikely, but it causes the scan to never complete. + file.PatchHeader = &gitdiff.PatchHeader{} + } + log.Debug().Msgf("file: %s; Commit: %s", file.NewName, file.PatchHeader.Title) if file.IsBinary || file.IsDelete { continue diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 00000000..34d4fe15 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,3 @@ +vulnerability: + vex: + - ignore.openvex