test: add HIGH in vulnerability scans #13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Producer-CI | |
on: | |
push: | |
branches: | |
- main | |
- feat/issues/3 | |
paths: | |
- '03-producer/**' | |
- '.github/workflows/producer-ci.yaml' | |
env: | |
REPO_APP: 'mqtt-producer' | |
BUILD_CONTEXT: './03-producer' | |
SLACK_CHANNEL: 'builds-and-ci' | |
SLACK_MSG_COLOR: '#0092ff' | |
COMMITER_NAME: 'AutoCommit' | |
VULN_SEVERITY: 'CRITICAL,HIGH' | |
VULN_TYPE: 'os,library' | |
VULN_FORMAT: 'table' | |
VULN_TIMEOUT_SCAN: '2m0s' | |
VULN_SCANNERS: 'vuln,secret,misconfig,license' | |
VULN_IGNORED_LIC: 'MIT' # MIT,LGPL,MPL-2.0 | |
VULN_EXIT_CODE: 1 # 0=pipeline continue 1=pipeline finish. | |
TRIVY_DISABLE_VEX_NOTICE: true | |
TRIVY_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2' | |
jobs: | |
Producer-CI_build-docker-image: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write # get the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository. | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
issues: write # to create new issues in workflows | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
username: 'jpradoar' | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Show last version of docker-hub image | |
id: last_version_remote_file | |
run: | | |
LastVersion=$(curl -s "https://hub.docker.com/v2/repositories/jpradoar/${{ env.REPO_APP }}/tags/?page_size=2" | jq -r '.results[].name'|sort -M|grep -v latest|tail -1) | |
echo "LAST_VERSION=$LastVersion " >> "$GITHUB_OUTPUT" | |
- name: Generate new version with semantic version | |
id: nversion | |
uses: jpradoar/[email protected] | |
with: | |
COMMIT_MSG: ${{ github.event.head_commit.message }} | |
VERSION: ${{ steps.last_version_remote_file.outputs.LAST_VERSION }} | |
- name: Build and push | |
uses: docker/build-push-action@v4 | |
with: | |
context: ${{ env.BUILD_CONTEXT }} | |
push: true | |
tags: jpradoar/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} | |
- name: Install trivy last version | |
run: | | |
sudo apt-get install wget apt-transport-https gnupg lsb-release | |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
sudo apt-get update | |
sudo apt-get install trivy | |
- name: search for vulnerabilities | |
id: trivy_scan | |
continue-on-error: true | |
run: | | |
rm -rf ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table | |
trivy image \ | |
--scanners ${{ env.VULN_SCANNERS }} \ | |
--severity ${{ env.VULN_SEVERITY }} \ | |
--timeout ${{ env.VULN_TIMEOUT_SCAN }} \ | |
--pkg-types ${{ env.VULN_TYPE }} \ | |
--license-full \ | |
--ignored-licenses ${{ env.VULN_IGNORED_LIC }} \ | |
--format ${{ env.VULN_FORMAT }} \ | |
--exit-code ${{ env.VULN_EXIT_CODE }} \ | |
--db-repository ${{ env.TRIVY_REPOSITORY }} \ | |
--ignore-unfixed \ | |
-o ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table \ | |
'jpradoar/${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }}' | |
- name: show vulnerability report | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
run: | | |
cat ./vuln_scans/${{ env.REPO_APP }}_vuln_scan.table | |
- name: validate if exist vuln | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
run: | | |
echo "### See detailed vuln scan in: " > /tmp/vuln_info.md | |
echo "<br> ![](https://custom-icon-badges.demolab.com/badge/Vulnerability-detected-red.svg) <br>" >> /tmp/vuln_info.md | |
echo " * Vulnerability report: [vuln_scans/${{ env.REPO_APP }}_vuln_scan](https://github.com/${{ github.repository }}/blob/${{ github.ref_name }}/vuln_scans/${{ env.REPO_APP }}_vuln_scan.table)" >> /tmp/vuln_info.md | |
echo " * Vulnerability detected in commit: ${{ github.sha }}" >> /tmp/vuln_info.md | |
- name: update data | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
run: | | |
git pull | |
- name: Upload vuln scan report | |
uses: EndBug/add-and-commit@v9 | |
with: | |
message: 'AutoCommit: upload vuln scan report' | |
add: './vuln_scans/${{ env.REPO_APP }}_vuln_scan.table' | |
- name: Vulnerability detected - Create issue | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
run: | | |
body="New vulnerability detected on vuln_scans/${{ env.REPO_APP }}_vuln_scan.table" | |
gh issue create \ | |
--repo ${{ github.repository }} \ | |
--title ":skull: [vuln] vulnerability detected on image ${{ env.REPO_APP }} " \ | |
--body-file '/tmp/vuln_info.md' \ | |
--assignee "jpradoar" \ | |
--label bug --label vulnerability | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Slack docker build Notification | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }} | |
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }} | |
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/jpradoar/${{ env.REPO_APP }}' | |
SLACK_TITLE: ':rocket: GithubAction Build docker image: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]' | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Slack Vulnerability Notification | |
if: ${{ steps.trivy_scan.outcome == 'failure' }} | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_CHANNEL: ${{ env.SLACK_CHANNEL }} | |
SLACK_COLOR: ${{ env.SLACK_MSG_COLOR }} | |
SLACK_MESSAGE: 'URL: https://hub.docker.com/repository/docker/jpradoar/${{ env.REPO_APP }}' | |
SLACK_TITLE: ':skull: Vulnerability detected in: [ ${{ env.REPO_APP }}:${{ steps.nversion.outputs.NEW_VERSION }} ]' | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} |