github: Add Trivy snap scanning

Signed-off-by: hamistao <[email protected]>
canonical · Sep 26, 2024 · 297e0ec · 297e0ec
1 parent f85ce50
commit 297e0ec
Showing 1 changed file with 67 additions and 0 deletions.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -17,6 +17,25 @@ defaults:
     shell: bash
 
 jobs:
+  set-up-trivy:
+    name: Set up Trivy
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Setup Trivy vulnerability scanner
+      run: |
+        mkdir -p /home/runner/trivy
+        cd /home/runner/trivy
+        VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}');
+        wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
+        tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
+        ./trivy image --download-db-only --cache-dir ./cache
+
+    - name: Cache trivy and vulnerability database
+      uses: actions/cache@v4
+      with:
+        path: /home/runner/trivy
+        key: trivy-cache
+
   trivy-repo:
     name: Trivy vulnerability scanner - Repository
     runs-on: ubuntu-22.04
@@ -44,3 +63,51 @@ jobs:
           sarif_file: "trivy-lxd-repo-scan-results.sarif"
           sha: ${{ env.head_sha }}
           ref: refs/heads/main
+
+  trivy-snap:
+    name: Trivy vulnerability scanner - Snap
+    runs-on: ubuntu-22.04
+    needs: set-up-trivy
+    strategy:
+      matrix:
+        version:
+          - "latest"
+          - "5.21"
+          - "5.0"
+          - "4.0"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Snap scanner results are placed on the the branch related to the scanned channel.
+          ref: ${{ (matrix.version == 'latest' && 'main') || format('stable-{0}', matrix.version) }}
+
+      - name: Restore cached Trivy and vulnerability database
+        uses: actions/cache/restore@v4
+        with:
+          path: /home/runner/trivy
+          key: trivy-cache
+
+      - name: Run Trivy vulnerability scanner on the snap
+        run: |
+          cd /home/runner/trivy
+          snap download lxd --channel=${{ matrix.version }}/stable
+          unsquashfs ./lxd*.snap
+          ./trivy rootfs ./squashfs-root/ --cache-dir ./cache --format sarif > ../${{ matrix.version }}-stable.sarif
+
+      - name: Prepend channel to alert name
+        run: |
+          cd /home/runner
+          jq '.runs[].tool.driver.rules[] |= (.shortDescription.text |= "${{ matrix.version }}/stable - " + .)' ${{ matrix.version }}-stable.sarif > tmp.json
+          mv tmp.json ${{ matrix.version }}-stable.sarif
+
+      - name: Get HEAD sha
+        run: |
+          echo "head_sha=$(git rev-parse HEAD)" >> "$GITHUB_ENV"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "/home/runner/${{ matrix.version }}-stable.sarif"
+          sha: ${{ env.head_sha }}
+          ref: refs/heads/${{ (matrix.version == 'latest' && 'main') || format('stable-{0}', matrix.version) }}