Add a step in CI for CVEs scanning (#1478)

* Add a step in CI for CVEs scanning * Move the check for vulnerabilities on its own workflow * Clean the clone job and comment accepted risk * Add a badge for vulnerabilities clearance in the readme
geopython · Jan 6, 2024 · 3c5a4cd · 3c5a4cd
1 parent 0a47ad2
commit 3c5a4cd
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
@@ -0,0 +1,40 @@
+name: Check vulnerabilities
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    branches:
+      - master
+    paths-ignore:
+      - '!**.md'
+  release:
+    types:
+      - released
+
+jobs:
+  clone:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Setup Python
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+          architecture: x64
+      - name: Checkout pygeoapi
+        uses: actions/checkout@master
+
+  vulnerabilities:
+    needs: [clone]
+    runs-on: ubuntu-22.04
+
+    steps:
+    - name: Scan vulnerabilities with trivy
+      run: |
+        sudo apt-get install -y wget apt-transport-https gnupg lsb-release
+        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update
+        sudo apt-get install -y trivy
+        trivy --exit-code 1 fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL --ignore-unfixed .
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,2 @@
+# Accept the risk
+DS002  # Dockerfile with non-root user
diff --git a/README.md b/README.md
@@ -3,6 +3,7 @@
 [![DOI](https://zenodo.org/badge/121585259.svg)](https://zenodo.org/badge/latestdoi/121585259)
 [![Build](https://github.com/geopython/pygeoapi/actions/workflows/main.yml/badge.svg)](https://github.com/geopython/pygeoapi/actions/workflows/main.yml)
 [![Docker](https://github.com/geopython/pygeoapi/actions/workflows/containers.yml/badge.svg)](https://github.com/geopython/pygeoapi/actions/workflows/containers.yml)
+[![Vulnerabilities](https://github.com/geopython/pygeoapi/actions/workflows/vulnerabilities.yml/badge.svg)](https://github.com/geopython/pygeoapi/actions/workflows/vulnerabilities.yml)
 
 [pygeoapi](https://pygeoapi.io) is a Python server implementation of the [OGC API](https://ogcapi.ogc.org) suite of standards. The project emerged as part of the next generation OGC API efforts in 2018 and provides the capability for organizations to deploy a RESTful OGC API endpoint using OpenAPI, GeoJSON, and HTML. pygeoapi is [open source](https://opensource.org/) and released under an [MIT license](https://github.com/geopython/pygeoapi/blob/master/LICENSE.md).