From d6436abcd0452bbe7fbd1f32ae29d9a62a37fb89 Mon Sep 17 00:00:00 2001 From: Ryo Hanafusa Date: Tue, 3 Oct 2023 13:40:43 +0900 Subject: [PATCH 1/9] add daily-vul-scan.yml --- .github/workflows/daily-vul-scan.yml | 46 ++++++++++++++++++++++++++++ README.md | 2 +- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/daily-vul-scan.yml diff --git a/.github/workflows/daily-vul-scan.yml b/.github/workflows/daily-vul-scan.yml new file mode 100644 index 0000000..dc532cd --- /dev/null +++ b/.github/workflows/daily-vul-scan.yml @@ -0,0 +1,46 @@ +name: Daily Vulnerability Scan + +on: + push: + branches: + # - main + - add_daily-vul-scan + # pull_request: + # workflow_dispatch: + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version-file: "./go.mod" + cache: true + + - name: Go modules sync + run: go mod tidy + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build an image from Dockerfile + run: | + make docker-build IMG=zozo-gatling-operator:${{ github.sha }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: image + image-ref: "zozo-gatling-operator:${{ github.sha }}" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + timeout: "5m0s" + scanners: "vuln,secret,config" diff --git a/README.md b/README.md index 2439e8d..798d615 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Gatling Operator -[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) +[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![Vulnerability Scan](https://github.com/R-HNF/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) [Gatling](https://gatling.io/) is an open source load testing tool that allows to analyze and measure the performance of a variety of services. [Gatling Operator](https://github.com/st-tech/gatling-operator) is a Kubernetes Operator for running automated distributed Gatling load testing. From 20d232b4494f35d40be619777645d1c7ed84916a Mon Sep 17 00:00:00 2001 From: Ryo Date: Sun, 15 Oct 2023 22:09:01 +0900 Subject: [PATCH 2/9] add tested workflow and trivy result template --- .github/workflows/daily-vul-scan.yml | 50 ++++++++++++++++++++++------ README.md | 2 +- gitrivy.tpl | 27 +++++++++++++++ 3 files changed, 68 insertions(+), 11 deletions(-) create mode 100644 gitrivy.tpl diff --git a/.github/workflows/daily-vul-scan.yml b/.github/workflows/daily-vul-scan.yml index dc532cd..9ff3de8 100644 --- a/.github/workflows/daily-vul-scan.yml +++ b/.github/workflows/daily-vul-scan.yml @@ -1,4 +1,4 @@ -name: Daily Vulnerability Scan +name: daily vulnerability scan on: push: @@ -8,6 +8,14 @@ on: # pull_request: # workflow_dispatch: +env: + IMAGE_NAME: zozo-gatling-operator + TRIVY_RESULT_MARKDOWN: trivy-results.md + +permissions: + contents: read + issues: write + jobs: build: name: Build @@ -19,7 +27,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version-file: "./go.mod" + go-version-file: ./go.mod cache: true - name: Go modules sync @@ -30,17 +38,39 @@ jobs: - name: Build an image from Dockerfile run: | - make docker-build IMG=zozo-gatling-operator:${{ github.sha }} + make docker-build IMG="${{ env.IMAGE_NAME }}:${{ github.sha }}" - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: image - image-ref: "zozo-gatling-operator:${{ github.sha }}" - format: "table" - exit-code: "1" + image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}" + exit-code: 1 ignore-unfixed: true - vuln-type: "os,library" - severity: "CRITICAL,HIGH" - timeout: "5m0s" - scanners: "vuln,secret,config" + vuln-type: os,library + severity: HIGH,CRITICAL + timeout: 10m0s + scanners: vuln,secret,config + format: template + template: "@gitrivy.tpl" + output: ${{ env.TRIVY_RESULT_MARKDOWN }} + + - name: Insert YAML front matter into the result markdown + if: always() + run: | + sed -i '1i\ + ---\ + title: "[DO NOT CHANGE] Security Alert"\ + labels: "trivy, vulnerability"\ + ---\ + ' "${{ env.TRIVY_RESULT_MARKDOWN }}" + + - name: Create or update the trivy result issue + uses: JasonEtco/create-an-issue@v2 + if: always() + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + filename: ${{ env.TRIVY_RESULT_MARKDOWN }} + update_existing: true + search_existing: open diff --git a/README.md b/README.md index 798d615..18a7585 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Gatling Operator -[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![Vulnerability Scan](https://github.com/R-HNF/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) +[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![daily vulnerability scan](https://github.com/R-HNF/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) [Gatling](https://gatling.io/) is an open source load testing tool that allows to analyze and measure the performance of a variety of services. [Gatling Operator](https://github.com/st-tech/gatling-operator) is a Kubernetes Operator for running automated distributed Gatling load testing. diff --git a/gitrivy.tpl b/gitrivy.tpl new file mode 100644 index 0000000..52b524b --- /dev/null +++ b/gitrivy.tpl @@ -0,0 +1,27 @@ +{{ $d := dict "CRITICAL" "🔴" "HIGH" "🟠" "MEDIUM" "🟡" "UNKNOWN" "🟤" }} + +{{- range . -}} +## {{ .Target }} + +### {{ .Type }} + +{{ if .Vulnerabilities -}} +| Title | Severity | CVE | Package Name | Installed Version | Fixed Version | References | +| :--: | :--: | :--: | :--: | :--: | :--: | :-- | +{{- range .Vulnerabilities }} +| {{ .Title -}} +| {{ get $d .Vulnerability.Severity }}{{ .Vulnerability.Severity -}} +| {{ .VulnerabilityID -}} +| {{ .PkgName -}} +| {{ .InstalledVersion -}} +| {{ .FixedVersion -}} +| {{ range $ref := .Vulnerability.References -}}- {{ $ref }}
{{- end -}} +| +{{- end }} + +{{ else -}} +_No vulnerabilities found_ + +{{ end }} + +{{- end }} From e772bd5686d157a7e352e85d13e4269e302e6ca3 Mon Sep 17 00:00:00 2001 From: Ryo Hanafusa Date: Thu, 19 Oct 2023 03:47:30 +0900 Subject: [PATCH 3/9] fix badge link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 18a7585..77d8e45 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Gatling Operator -[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![daily vulnerability scan](https://github.com/R-HNF/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) +[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![daily vulnerability scan](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) [Gatling](https://gatling.io/) is an open source load testing tool that allows to analyze and measure the performance of a variety of services. [Gatling Operator](https://github.com/st-tech/gatling-operator) is a Kubernetes Operator for running automated distributed Gatling load testing. From a49cd04c896fca4036c433abebadeed6ee23df7b Mon Sep 17 00:00:00 2001 From: Ryo Hanafusa Date: Thu, 19 Oct 2023 03:48:26 +0900 Subject: [PATCH 4/9] add branch parameter to badge link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 77d8e45..c694d47 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Gatling Operator -[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![daily vulnerability scan](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) +[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![daily vulnerability scan](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg?branch=main)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) [Gatling](https://gatling.io/) is an open source load testing tool that allows to analyze and measure the performance of a variety of services. [Gatling Operator](https://github.com/st-tech/gatling-operator) is a Kubernetes Operator for running automated distributed Gatling load testing. From cda4144de4ac535ce767b4e6e470ef92ad63bfb7 Mon Sep 17 00:00:00 2001 From: Ryo Hanafusa Date: Thu, 19 Oct 2023 03:52:27 +0900 Subject: [PATCH 5/9] move template file --- .../ISSUE_TEMPLATE/trivy-results.tpl | 0 .github/workflows/daily-vul-scan.yml | 14 +++++++------- 2 files changed, 7 insertions(+), 7 deletions(-) rename gitrivy.tpl => .github/ISSUE_TEMPLATE/trivy-results.tpl (100%) diff --git a/gitrivy.tpl b/.github/ISSUE_TEMPLATE/trivy-results.tpl similarity index 100% rename from gitrivy.tpl rename to .github/ISSUE_TEMPLATE/trivy-results.tpl diff --git a/.github/workflows/daily-vul-scan.yml b/.github/workflows/daily-vul-scan.yml index 9ff3de8..da20200 100644 --- a/.github/workflows/daily-vul-scan.yml +++ b/.github/workflows/daily-vul-scan.yml @@ -10,7 +10,7 @@ on: env: IMAGE_NAME: zozo-gatling-operator - TRIVY_RESULT_MARKDOWN: trivy-results.md + TRIVY_RESULTS_MARKDOWN: trivy-results.md permissions: contents: read @@ -52,10 +52,10 @@ jobs: timeout: 10m0s scanners: vuln,secret,config format: template - template: "@gitrivy.tpl" - output: ${{ env.TRIVY_RESULT_MARKDOWN }} + template: "@.github/ISSUE_TEMPLATE/trivy-results.tpl" + output: ${{ env.TRIVY_RESULTS_MARKDOWN }} - - name: Insert YAML front matter into the result markdown + - name: Insert YAML front matter into the results markdown if: always() run: | sed -i '1i\ @@ -63,14 +63,14 @@ jobs: title: "[DO NOT CHANGE] Security Alert"\ labels: "trivy, vulnerability"\ ---\ - ' "${{ env.TRIVY_RESULT_MARKDOWN }}" + ' "${{ env.TRIVY_RESULTS_MARKDOWN }}" - - name: Create or update the trivy result issue + - name: Create or update the trivy results issue uses: JasonEtco/create-an-issue@v2 if: always() env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - filename: ${{ env.TRIVY_RESULT_MARKDOWN }} + filename: ${{ env.TRIVY_RESULTS_MARKDOWN }} update_existing: true search_existing: open From dec98bb9ef7c6d25890d47c57afab32d452092da Mon Sep 17 00:00:00 2001 From: Ryo Hanafusa Date: Thu, 19 Oct 2023 04:03:47 +0900 Subject: [PATCH 6/9] change workflow trigger to cron --- .github/workflows/daily-vul-scan.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/daily-vul-scan.yml b/.github/workflows/daily-vul-scan.yml index da20200..7604f17 100644 --- a/.github/workflows/daily-vul-scan.yml +++ b/.github/workflows/daily-vul-scan.yml @@ -1,12 +1,8 @@ name: daily vulnerability scan on: - push: - branches: - # - main - - add_daily-vul-scan - # pull_request: - # workflow_dispatch: + schedule: + - cron: '0 0 * * *' env: IMAGE_NAME: zozo-gatling-operator From 91e13dcde1fda4f432b3de4b77a60a2e3628d72a Mon Sep 17 00:00:00 2001 From: Ryo Hanafusa Date: Thu, 19 Oct 2023 04:08:43 +0900 Subject: [PATCH 7/9] fix link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c694d47..2bbd6a1 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Gatling Operator -[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![daily vulnerability scan](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg?branch=main)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) +[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) [![daily vulnerability scan](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg?branch=main)](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator) [Gatling](https://gatling.io/) is an open source load testing tool that allows to analyze and measure the performance of a variety of services. [Gatling Operator](https://github.com/st-tech/gatling-operator) is a Kubernetes Operator for running automated distributed Gatling load testing. From 83f321cfaba57bde05f41e030ee4ac06cd45f884 Mon Sep 17 00:00:00 2001 From: Ryo Hanafusa Date: Fri, 27 Oct 2023 15:40:45 +0900 Subject: [PATCH 8/9] fix job name --- .github/workflows/daily-vul-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/daily-vul-scan.yml b/.github/workflows/daily-vul-scan.yml index 7604f17..c6b0dec 100644 --- a/.github/workflows/daily-vul-scan.yml +++ b/.github/workflows/daily-vul-scan.yml @@ -13,8 +13,8 @@ permissions: issues: write jobs: - build: - name: Build + build-scan-and-save-results: + name: Build, scan, and save results runs-on: ubuntu-latest steps: - name: Checkout From ab8f154bd4382426c6d23c5960a142edeaa3678c Mon Sep 17 00:00:00 2001 From: Ryo Hanafusa Date: Mon, 30 Oct 2023 11:53:58 +0900 Subject: [PATCH 9/9] fix template --- .github/ISSUE_TEMPLATE/trivy-results.tpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/trivy-results.tpl b/.github/ISSUE_TEMPLATE/trivy-results.tpl index 52b524b..f68e2ec 100644 --- a/.github/ISSUE_TEMPLATE/trivy-results.tpl +++ b/.github/ISSUE_TEMPLATE/trivy-results.tpl @@ -3,19 +3,19 @@ {{- range . -}} ## {{ .Target }} -### {{ .Type }} +### {{ .Type }} [{{ .Class }}] {{ if .Vulnerabilities -}} -| Title | Severity | CVE | Package Name | Installed Version | Fixed Version | References | +| Title | Severity | CVE | Package Name | Installed Version | Fixed Version | PrimaryURL | | :--: | :--: | :--: | :--: | :--: | :--: | :-- | {{- range .Vulnerabilities }} | {{ .Title -}} -| {{ get $d .Vulnerability.Severity }}{{ .Vulnerability.Severity -}} +| {{ get $d .Severity }}{{ .Severity -}} | {{ .VulnerabilityID -}} | {{ .PkgName -}} | {{ .InstalledVersion -}} | {{ .FixedVersion -}} -| {{ range $ref := .Vulnerability.References -}}- {{ $ref }}
{{- end -}} +| {{ .PrimaryURL -}} | {{- end }}