From bc66678f2ddaa469a31ae9af9141ae8fc83a1117 Mon Sep 17 00:00:00 2001 From: Guilherme Caponetto <638737+caponetto@users.noreply.github.com> Date: Mon, 1 Jul 2024 08:35:25 -0300 Subject: [PATCH] Add daily check for vulnerability issues using Trivy --- .../workflows/build-notebooks-TEMPLATE.yaml | 38 +++++++++++- .github/workflows/build-notebooks.yaml | 7 ++- ci/cached-builds/gen_gha_matrix_jobs.py | 1 + ci/trivy-markdown.tpl | 58 +++++++++++++++++++ 4 files changed, 101 insertions(+), 3 deletions(-) create mode 100644 ci/trivy-markdown.tpl diff --git a/.github/workflows/build-notebooks-TEMPLATE.yaml b/.github/workflows/build-notebooks-TEMPLATE.yaml index c083b3ad0..43441afa6 100644 --- a/.github/workflows/build-notebooks-TEMPLATE.yaml +++ b/.github/workflows/build-notebooks-TEMPLATE.yaml @@ -43,6 +43,14 @@ jobs: df -h + sudo apt-get update + sudo apt-get remove -y '^dotnet-.*' + sudo apt-get remove -y '^llvm-.*' + sudo apt-get remove -y 'php.*' + sudo apt-get remove -y '^mongodb-.*' + sudo apt-get autoremove -y + sudo apt-get clean + sudo rm -rf /usr/local/.ghcup & sudo rm -rf /usr/local/lib/android & sudo rm -rf /usr/local/share/boost & sudo rm -rf /usr/local/lib/node_modules & @@ -96,14 +104,40 @@ jobs: mkdir -p $HOME/.local/share/containers/storage/tmp # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push - - name: "push: make ${{ inputs.target }}" + - name: "push|schedule: make ${{ inputs.target }}" run: "make ${{ inputs.target }}" - if: "${{ fromJson(inputs.github).event_name == 'push' }}" + if: ${{ fromJson(inputs.github).event_name == 'push' || fromJson(inputs.github).event_name == 'schedule' }} env: IMAGE_TAG: "${{ github.ref_name }}_${{ github.sha }}" IMAGE_REGISTRY: "ghcr.io/${{ github.repository }}/workbench-images" CONTAINER_BUILD_CACHE_ARGS: "--cache-from ${{ env.CACHE }} --cache-to ${{ env.CACHE }}" + - name: "schedule: run Trivy vulnerability scanner" + if: "${{ fromJson(inputs.github).event_name == 'schedule' }}" + run: | + TRIVY_VERSION=0.52.2 + REPORT_FOLDER=${{ github.workspace }}/report + REPORT_FILE=trivy-report.md + REPORT_TEMPLATE=trivy-markdown.tpl + + mkdir -p $REPORT_FOLDER + cp ci/$REPORT_TEMPLATE $REPORT_FOLDER + + IMAGE_NAME=ghcr.io/${{ github.repository }}/workbench-images:${{ inputs.target }}-${{ github.ref_name }}_${{ github.sha }} + echo "Scanning $IMAGE_NAME" + + podman run --rm \ + -v $REPORT_FOLDER:/report \ + docker.io/aquasec/trivy:$TRIVY_VERSION \ + image \ + --scanners vuln,secret \ + --exit-code 0 --timeout 30m \ + --severity CRITICAL,HIGH \ + --format template --template "@/report/$REPORT_TEMPLATE" -o /report/$REPORT_FILE \ + $IMAGE_NAME + + cat $REPORT_FOLDER/$REPORT_FILE >> $GITHUB_STEP_SUMMARY + # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request - name: "pull_request: make ${{ inputs.target }}" run: | diff --git a/.github/workflows/build-notebooks.yaml b/.github/workflows/build-notebooks.yaml index 2159cedf6..b2c81d058 100644 --- a/.github/workflows/build-notebooks.yaml +++ b/.github/workflows/build-notebooks.yaml @@ -7,7 +7,12 @@ }, "on": { "push": {}, - "workflow_dispatch": {} + "workflow_dispatch": {}, + "schedule": [ + { + "cron": "0 2 * * *" + } + ] }, "jobs": { "base-ubi8-python-3_8": { diff --git a/ci/cached-builds/gen_gha_matrix_jobs.py b/ci/cached-builds/gen_gha_matrix_jobs.py index 7a4746275..dc3850087 100644 --- a/ci/cached-builds/gen_gha_matrix_jobs.py +++ b/ci/cached-builds/gen_gha_matrix_jobs.py @@ -106,6 +106,7 @@ def write_github_workflow_file(tree: dict[str, list[str]], path: pathlib.Path) - "on": { "push": {}, "workflow_dispatch": {}, + "schedule": [{ "cron": "0 2 * * *"}], # 2am UTC everyday }, "jobs": jobs, } diff --git a/ci/trivy-markdown.tpl b/ci/trivy-markdown.tpl new file mode 100644 index 000000000..afd4a0c81 --- /dev/null +++ b/ci/trivy-markdown.tpl @@ -0,0 +1,58 @@ +## Vulnerability Report by [Trivy](https://trivy.dev) + +
+ {{- if . }} + {{- range . }} + {{- if or (gt (len .Vulnerabilities) 0) (gt (len .Misconfigurations) 0) }} +

Target: {{- if and (eq .Class "os-pkgs") .Type }}{{ .Type | toString | escapeXML }} ({{ .Class | toString | escapeXML }}){{- else }}{{ .Target | toString | escapeXML }}{{ if .Type }} ({{ .Type | toString | escapeXML }}){{ end }}{{- end }}

+ {{- if (gt (len .Vulnerabilities) 0) }} +

Vulnerabilities ({{ len .Vulnerabilities }})

+ + + + + + + + + {{- range .Vulnerabilities }} + + + + + + + + {{- end }} +
PackageIDSeverityInstalled VersionFixed Version
{{ escapeXML .PkgName }}{{ escapeXML .VulnerabilityID }}{{ escapeXML .Severity }}{{ escapeXML .InstalledVersion }}{{ escapeXML .FixedVersion }}
+ {{- end }} + {{- if (gt (len .Misconfigurations ) 0) }} +

Misconfigurations

+ + + + + + + + + {{- range .Misconfigurations }} + + + + + + + + {{- end }} +
TypeIDCheckSeverityMessage
{{ escapeXML .Type }}{{ escapeXML .ID }}{{ escapeXML .Title }}{{ escapeXML .Severity }} + {{ escapeXML .Message }} +
{{ escapeXML .PrimaryURL }}
+
+ {{- end }} + {{- end }} + {{- end }} + {{- else }} +

Empty report

+ {{- end }} +