This repository has been archived by the owner on Sep 18, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rework CVE scanning strategy using Trivy
For branches other than 'main' and pull requests: 1. Build all images in one go 2. Scan each built image * use 'table' format, so the output is publicly visible * if any CVE is found in the given image, exit with exit code 1 For the 'main' branch: 1. Build all images in one go 2. Scan each built image * use 'table' format, so the output is publicly visible * if any CVE is found in the given image, exit with exit code 1 3. If no CVEs are found, push built images as 'latest' For release tags: Pull 'latest' images, retag and push them as the Git tag Signed-off-by: Timo Reichl <[email protected]>
- Loading branch information
Timo Reichl
committed
Jun 15, 2022
1 parent
f9dd778
commit 7cef458
Showing
5 changed files
with
217 additions
and
87 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,20 +20,113 @@ jobs: | |
runs-on: ubuntu-22.04 | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: Build base images | ||
|
||
- name: Build all images | ||
run: | | ||
for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do | ||
docker-compose build ${docker_base_image_type} | ||
done | ||
- name: Build HLDS-based game images | ||
run: | | ||
for docker_hlds_game in $(ls image/games/hlds); do | ||
docker-compose build ${docker_hlds_game} | ||
done | ||
- name: Build SRCDS-based game images | ||
run: | | ||
for docker_srcds_game in $(ls image/games/srcds); do | ||
docker-compose build ${docker_srcds_game} | ||
done | ||
- name: Trivy CVE scan - base | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:base" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - srcds | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:srcds" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - hlds | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:hlds" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/hlds/cs | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:cs" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/bms | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:bms" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/csgo | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:csgo" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/css | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:css" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/dods | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:dods" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/gm | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:gm" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/hl2mp | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:hl2mp" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/l4d | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:l4d" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/l4d2 | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:l4d2" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,58 +19,127 @@ jobs: | |
permissions: | ||
contents: read | ||
packages: write | ||
security-events: write | ||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- name: Log in to GHCR | ||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | ||
|
||
- name: Log in to Docker Hub | ||
run: echo "${{ secrets.DOCKERHUB_ACCESS }}" | docker login docker.io -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin | ||
|
||
- name: Build and push latest base images | ||
- name: Build all images | ||
run: | | ||
for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do | ||
docker-compose build ${docker_base_image_type} | ||
docker_image_types="${DOCKER_IMAGE_BASE_ORDER} $(ls image/games/hlds) $(ls image/games/srcds)" | ||
bash ${DOCKER_RETAG_SH} \ | ||
${REGISTRY_IMAGE}:${docker_base_image_type} \ | ||
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest \ | ||
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest | ||
for docker_image_type in ${docker_image_types}; do | ||
docker-compose build ${docker_image_type} | ||
done | ||
- name: Build and push latest HLDS-based game images | ||
run: | | ||
for docker_hlds_game in $(ls image/games/hlds); do | ||
docker-compose build ${docker_hlds_game} | ||
- name: Trivy CVE scan - base | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:base" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
bash ${DOCKER_RETAG_SH} \ | ||
${REGISTRY_IMAGE}:${docker_hlds_game} \ | ||
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_hlds_game}-latest \ | ||
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_hlds_game}-latest | ||
done | ||
- name: Trivy CVE scan - srcds | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:srcds" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Build and push latest SRCDS-based game images | ||
run: | | ||
for docker_srcds_game in $(ls image/games/srcds); do | ||
docker-compose build ${docker_srcds_game} | ||
- name: Trivy CVE scan - hlds | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:hlds" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
bash ${DOCKER_RETAG_SH} \ | ||
${REGISTRY_IMAGE}:${docker_srcds_game} \ | ||
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_srcds_game}-latest \ | ||
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_srcds_game}-latest | ||
done | ||
- name: Trivy CVE scan - games/hlds/cs | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:cs" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/bms | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:bms" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/csgo | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:csgo" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Run Trivy vulnerability scanner - SRCDS image | ||
uses: aquasecurity/trivy-action@4b9b6fb4ef28b31450391a93ade098bb00de584e | ||
- name: Trivy CVE scan - games/srcds/css | ||
uses: aquasecurity/trivy-action@0.4.0 | ||
with: | ||
image-ref: "${{ env.GHCR_PREFIX }}:srcds-latest" | ||
format: 'sarif' | ||
output: 'trivy-results.sarif' | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:css" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
- name: Trivy CVE scan - games/srcds/dods | ||
uses: aquasecurity/trivy-action@0.4.0 | ||
with: | ||
sarif_file: 'trivy-results.sarif' | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:dods" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/gm | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:gm" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/hl2mp | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:hl2mp" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/l4d | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:l4d" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Trivy CVE scan - games/srcds/l4d2 | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "${{ env.REGISTRY_IMAGE }}:l4d2" | ||
format: 'table' | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | ||
|
||
- name: Log in to GHCR | ||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | ||
|
||
- name: Log in to Docker Hub | ||
run: echo "${{ secrets.DOCKERHUB_ACCESS }}" | docker login docker.io -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin | ||
|
||
- name: Push latest images to registries | ||
run: | | ||
docker_image_types="${DOCKER_IMAGE_BASE_ORDER} $(ls image/games/hlds) $(ls image/games/srcds)" | ||
for docker_image_type in ${docker_image_types}; do | ||
docker tag ${REGISTRY_IMAGE}:${docker_image_type} ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest | ||
docker push ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest | ||
docker tag ${REGISTRY_IMAGE}:${docker_image_type} ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest | ||
docker push ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters