-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Scan images using Trivy * use python 3.12 base image python 3.12.4 did not work, which is why the version was pinned to 3.12.3. However, the most recent python 3.12 version should work again. * continue to build and scan images after one build / scan fails e.g. when python 3.10 is vulnerable and fails, we still want to scan 3.11 and 3.12. * add trivy config and ignore file
- Loading branch information
Showing
6 changed files
with
56 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -95,8 +95,9 @@ jobs: | |
|
|
||
| containerbuild: | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| python-version: ["3.10", "3.11", "3.12.3"] | ||
| python-version: ["3.10", "3.11", "3.12"] | ||
|
|
||
| runs-on: ubuntu-latest | ||
| steps: | ||
|
|
@@ -111,7 +112,7 @@ jobs: | |
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Build and export to Docker | ||
| - name: Build image and export to Docker | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
|
|
@@ -122,17 +123,46 @@ jobs: | |
| tags: | | ||
| ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} | ||
| - name: Test | ||
| - name: Ensure logprep is available in image | ||
| run: | | ||
| docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version | ||
| - name: Build images | ||
| # This step will build the image again, but every layer will already be cached, so it is nearly instantaneous. | ||
| - name: Push image | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| push: true # Will only build if this is not here | ||
| push: true | ||
| build-args: | | ||
| LOGPREP_VERSION=dev | ||
| PYTHON_VERSION=${{ matrix.python-version }} | ||
| tags: | | ||
| ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} | ||
| # To avoid the trivy-db becoming outdated, we save the cache for one day | ||
| - name: Get date | ||
| id: date | ||
| run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Restore trivy cache | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: cache/db | ||
| key: trivy-cache-${{ steps.date.outputs.date }} | ||
| restore-keys: | ||
| trivy-cache- | ||
|
|
||
| - name: Scan image using Trivy | ||
| uses: aquasecurity/[email protected] | ||
| env: | ||
| TRIVY_CACHE_DIR: ./cache | ||
| with: | ||
| scan-type: image | ||
| image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} | ||
| trivy-config: trivy.yaml | ||
|
|
||
| # Trivy-db uses `0600` permissions. | ||
| # But `action/cache` use `runner` user by default | ||
| # So we need to change the permissions before caching the database. | ||
| - name: Change permissions for trivy.db | ||
| run: sudo chmod 0644 ./cache/db/trivy.db | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| # Ignore Python 3.10 CVE that is only fixed in Python 3.11 as long as we still support Python 3.10. | ||
| CVE-2023-36632 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # https://aquasecurity.github.io/trivy/v0.56/docs/references/configuration/config-file/ | ||
| format: table | ||
| report: all | ||
| ignorefile: .trivyignore | ||
| exit-code: 1 | ||
| severity: | ||
| - HIGH | ||
| - CRITICAL | ||
| timeout: 10m | ||
| scan: | ||
| scanners: | ||
| - vuln | ||
| - secret | ||
| vulnerability: | ||
| ignore-unfixed: true |