-
Notifications
You must be signed in to change notification settings - Fork 932
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CVE scan GitHub workflow that is triggered on pull requests (#2977)
* Add a GitHub workflow to scan for CVEs * Run on each commit, PR, and on-demand * Remove CVE scan workflow trigger on commits
- Loading branch information
Showing
2 changed files
with
79 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| #!/bin/bash | ||
| set -o errexit -o nounset -o pipefail | ||
| [[ "${TRACE:-0}" == "1" ]] && set -o xtrace | ||
|
|
||
| ## | ||
| # Formats CVE results in a markdown table to display a summary in a GitHub Action UI | ||
| ## | ||
|
|
||
| # Check if the number of arguments is correct | ||
| if [ $# -ne 1 ]; then | ||
| echo "Usage: $0 <filename of grype json results>" | ||
| exit 1 | ||
| fi | ||
|
|
||
| _results_filename="${1}" | ||
|
|
||
| # Check if the file exists | ||
| if [ ! -f "${_results_filename}" ]; then | ||
| echo "Error: File '${_results_filename}' does not exist" | ||
| exit 1 | ||
| fi | ||
|
|
||
| _number_of_cves_found=$(jq -r '.matches | length' "${_results_filename}") | ||
|
|
||
| echo -e "# CVE Scan Results\n" | ||
|
|
||
| if [ ${_number_of_cves_found} -eq 0 ]; then | ||
| echo -e "## Success! No vulnerabilities found.\n" | ||
| else | ||
| echo -e "## Failure: ${_number_of_cves_found} vulnerabilities found.\n" | ||
|
|
||
| _table_headers='"NAME","INSTALLED","FIXED-IN","TYPE","VULNERABILITY","SEVERITY"' | ||
| _table_underlines='"----","---------","--------","----","-------------","--------"' | ||
|
|
||
| jq -r "[${_table_headers}], | ||
| [${_table_underlines}], | ||
| (.matches[] | [ | ||
| .artifact.name, | ||
| .artifact.version, | ||
| .vulnerability.fix.versions[0], | ||
| .artifact.type, | ||
| .vulnerability.id, | ||
| .vulnerability.severity | ||
| ]) | @tsv" "${_results_filename}" \ | ||
| | sed 's/|/\\|/g' \ | ||
| | sed 's/\t/ | /g' | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| name: "Check CVEs" | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| pull_request: | ||
|
|
||
| jobs: | ||
| check-cves: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out codebase | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Scan current project | ||
| uses: anchore/scan-action@v3 | ||
| with: | ||
| path: "." | ||
| add-cpes-if-none: true | ||
| by-cve: true | ||
| output-format: json | ||
|
|
||
| - name: Print scan results | ||
| run: .github/scripts/format-cve-scan-results.sh results.json > $GITHUB_STEP_SUMMARY | ||
| if: always() | ||
|
|
||
| - name: Archive CVE scan results | ||
| uses: actions/upload-artifact@v4 | ||
| if: always() | ||
| with: | ||
| name: cve-scan-results-${{ github.sha }}-${{ github.run_id }}-${{ github.run_number }} | ||
| path: results.json |