Skip to content
This repository has been archived by the owner on Oct 23, 2024. It is now read-only.

Commit

Permalink
Use trivy instead of owasp/dependency-check (#2721)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeffreyc-splunk
jeffreyc-splunk authored Feb 21, 2023
1 parent 04e44d0 commit 9929382
Showing 1 changed file with 62 additions and 47 deletions.
109 changes: 62 additions & 47 deletions .github/workflows/build_and_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,60 +137,75 @@ jobs:
~/${{ env.RESULT_PATH }}/results.html
~/${{ env.RESULT_PATH }}/results.xml
dependency_check:
name: dependency_check
trivy-fs-scan:
runs-on: ubuntu-20.04
needs: [build]
container:
image: owasp/dependency-check:6.5.0
options: --user root
steps:
- name: Check out the codebase.
uses: actions/checkout@v3
- uses: actions/checkout@v3
- name: Run trivy filesystem scan
id: trivy-fs-scan
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
skip-dirs: 'deployments,examples,packaging,test-services,tests'
format: 'table'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '1'
- name: Generate report
if: ${{ failure() && steps.trivy-fs-scan.conclusion == 'failure' }}
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
skip-dirs: 'deployments,examples,packaging,test-services,tests'
format: 'sarif'
output: 'trivy-fs-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '0'
- name: Upload report to GitHub Security tab
if: ${{ failure() && steps.trivy-fs-scan.conclusion == 'failure' }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-fs-results.sarif'

- name: Downloading bundle
uses: actions/download-artifact@v3
trivy-image-scan:
runs-on: ubuntu-20.04
needs: [build]
steps:
- uses: actions/checkout@v3
- uses: actions/download-artifact@v3
with:
name: bundle
name: image
path: ./dist

- name: Setup dependency check
run: |
mkdir -p ./bundle
mkdir -p ./reports
apk --no-cache add tar
tar -C ./bundle -xf ./dist/signalfx-agent-latest.tar.gz
- name: Get Date
id: get-date
run: |
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
- name: Caching dependency
uses: actions/cache@v3
- run: docker load -i ./dist/image.tar
- name: Run trivy image scan
id: trivy-image-scan
uses: aquasecurity/[email protected]
with:
path: |
/usr/share/dependency-check/data
key: v2-dependency-check-nvd-${{ steps.get-date.outputs.date }}-${{ hashFiles('./.github/workflows/build_and_test.yml') }}

- name: Run Dependency Check
run: |
/usr/share/dependency-check/bin/dependency-check.sh \
--scan ./bundle \
--project "signalfx-agent-latest.tar.gz" \
--suppression ./scripts/dependency-check/suppression.xml \
--out ./reports/ \
--format HTML \
--format JUNIT \
--junitFailOnCVSS 9 \
--failOnCVSS 9 || \
(echo -e "\nOne or more critical vulnerabilities were found in the agent bundle.\nCheck the report artifact, fix the issues, run 'make bundle && make dependency-check', and commit the changes when the issues are resolved." && exit 1)
- name: Uploading test result artifacts
uses: actions/upload-artifact@v3
scan-type: 'image'
image-ref: 'quay.io/signalfx/signalfx-agent-dev:latest'
format: 'table'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '1'
- name: Generate report
if: ${{ failure() && steps.trivy-image-scan.conclusion == 'failure' }}
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
image-ref: 'quay.io/signalfx/signalfx-agent-dev:latest'
format: 'sarif'
output: 'trivy-image-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '0'
- name: Upload report to GitHub Security tab
if: ${{ failure() && steps.trivy-image-scan.conclusion == 'failure' }}
uses: github/codeql-action/upload-sarif@v2
with:
name: dependency-check-result
path: reports
sarif_file: 'trivy-image-results.sarif'

pcf_tile_build:
name: pcf_tile_build
Expand Down

0 comments on commit 9929382

Please sign in to comment.