Add scan-image action to check for vulnerabilities #1372
Conversation
Lantero
force-pushed
the
scan-image-action
branch
4 times, most recently
from
46c03b6 to
0e83ad3
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Lantero
force-pushed
the
scan-image-action
branch
from
0e83ad3 to
95bbb52
Compare
Lantero
force-pushed
the
scan-image-action
branch
from
95bbb52 to
1245d3a
Compare
| id: extract-registry | ||
| shell: bash | ||
| run: | | ||
| IMAGE_NAME="${{ inputs.image_name }}" |
Check failure
Code scanning / zizmor
code injection via template expansion Error
Lantero
force-pushed
the
scan-image-action
branch
from
1245d3a to
efe6f8a
Compare
| - name: Setup Trivy (Latest) | ||
| id: setup-trivy-latest | ||
| if: inputs.trivy_version == '' | ||
| uses: aquasecurity/[email protected] |
Check failure
Code scanning / zizmor
unpinned action reference Error
| - name: Setup Trivy (Pinned) | ||
| id: setup-trivy-pinned | ||
| if: inputs.trivy_version != '' | ||
| uses: aquasecurity/[email protected] |
Check failure
Code scanning / zizmor
unpinned action reference Error
Lantero
force-pushed
the
scan-image-action
branch
3 times, most recently
from
a30172f to
501778d
Compare
Lantero
force-pushed
the
scan-image-action
branch
2 times, most recently
from
bea85e8 to
86bc0dd
Compare
Lantero
force-pushed
the
scan-image-action
branch
4 times, most recently
from
aaaa710 to
b8f04e3
Compare
| id: run-trivy | ||
| shell: bash | ||
| run: | | ||
| trivy image ${{ inputs.image_name }} -f json -o trivy.json |
Check failure
Code scanning / zizmor
code injection via template expansion Error
Lantero
force-pushed
the
scan-image-action
branch
from
b8f04e3 to
46597f0
Compare
| - name: Setup Grype (Latest) | ||
| id: setup-grype-latest | ||
| if: inputs.grype_version == '' | ||
| uses: anchore/scan-action/download-grype@v7 |
Check failure
Code scanning / zizmor
unpinned action reference Error
| - name: Setup Grype (Pinned) | ||
| id: setup-grype-pinned | ||
| if: inputs.grype_version != '' | ||
| uses: anchore/scan-action/download-grype@v7 |
Check failure
Code scanning / zizmor
unpinned action reference Error
Lantero
force-pushed
the
scan-image-action
branch
from
46597f0 to
6f62a54
Compare
| id: run-grype | ||
| shell: bash | ||
| run: | | ||
| ${{ inputs.grype_version == '' && steps.setup-grype-latest.outputs.cmd || steps.setup-grype-pinned.outputs.cmd }} ${{ inputs.image_name }} -o cyclonedx-json > grype-cdx.json |
Check failure
Code scanning / zizmor
code injection via template expansion Error
Lantero
force-pushed
the
scan-image-action
branch
3 times, most recently
from
d6d1b80 to
1c42928
Compare
Lantero
force-pushed
the
scan-image-action
branch
2 times, most recently
from
5bfb373 to
440e6e8
Compare
Lantero
force-pushed
the
scan-image-action
branch
2 times, most recently
from
88aa333 to
9a54ebc
Compare
| # Check if result.json is empty or has no entries | ||
| if [[ $(jq '. | length' result.json) -eq 0 ]]; then | ||
| # No CVEs found | ||
| echo "# CVE Report (${{ inputs.image_name }}) :white_check_mark: |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| - name: (Test 1) Scan public image without vulnerabilities | ||
| id: scan-image-1 | ||
| uses: Lantero/shared-workflows/actions/scan-image@1c42928e7de3547403e934df7fa59a3e59865a75 # scan-action/v0.1.0 | ||
| with: | ||
| image_name: docker.io/hello-world | ||
| image_source: public |
Check failure
Code scanning / zizmor
commit with no history in referenced repository Error test
| - name: (Test 2) Scan public image with some vulnerabilities (Pinned Trivy and Grype) | ||
| id: scan-image-2 | ||
| uses: Lantero/shared-workflows/actions/scan-image@1c42928e7de3547403e934df7fa59a3e59865a75 # scan-action/v0.1.0 | ||
| with: | ||
| image_name: docker.io/redis:7.4.0-alpine | ||
| image_source: public | ||
| trivy_version: v0.66.0 | ||
| grype_version: v0.98.0 |
Check failure
Code scanning / zizmor
commit with no history in referenced repository Error test
| - name: (Test 3) Scan private DockerHub image for vulnerabilities | ||
| id: scan-image-3 | ||
| uses: Lantero/shared-workflows/actions/scan-image@1c42928e7de3547403e934df7fa59a3e59865a75 # scan-action/v0.1.0 | ||
| with: | ||
| image_name: ${{ github.repository }}@${{ steps.build.outputs.digest }} | ||
| image_source: private_dockerhub |
Check failure
Code scanning / zizmor
commit with no history in referenced repository Error test
| - name: (Test 4) Scan private GAR image for vulnerabilities | ||
| id: scan-image-4 | ||
| uses: Lantero/shared-workflows/actions/scan-image@1c42928e7de3547403e934df7fa59a3e59865a75 # scan-action/v0.1.0 | ||
| with: | ||
| image_name: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/terraform-team:1.7.5-16-0-amd64 | ||
| image_source: private_gar No newline at end of file |
Check failure
Code scanning / zizmor
commit with no history in referenced repository Error test
Lantero
force-pushed
the
scan-image-action
branch
from
9a54ebc to
7e9bb10
Compare
| else | ||
| ## CVEs found, create table | ||
| MARKDOWN_CONTENT=" | ||
| ## CVE Report (${{ inputs.image_name }}) :warning: |
Check failure
Code scanning / zizmor
code injection via template expansion Error
Lantero
force-pushed
the
scan-image-action
branch
3 times, most recently
from
364892c to
deffcdb
Compare
Lantero
force-pushed
the
scan-image-action
branch
from
deffcdb to
24c27c6
Compare
| id: fail-condition | ||
| shell: bash | ||
| run: | | ||
| if [[ ${{ inputs.fail_on_threshold }} -lt 1 ]]; then |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| ["critical"]=4 | ||
| ) | ||
|
|
||
| echo "Checking for vulnerabilities with severity >= ${{ inputs.fail_on }} (level ${{ inputs.fail_on_threshold }})" |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| ["critical"]=4 | ||
| ) | ||
|
|
||
| echo "Checking for vulnerabilities with severity >= ${{ inputs.fail_on }} (level ${{ inputs.fail_on_threshold }})" |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| ["critical"]=4 | ||
| ) | ||
|
|
||
| echo "Checking for vulnerabilities with severity >= ${{ inputs.fail_on }} (level ${{ inputs.fail_on_threshold }})" |
Check failure
Code scanning / zizmor
code injection via template expansion Error
|
|
||
| current_level=${severity_levels[$severity_lower]} | ||
|
|
||
| if [[ $current_level -ge $${{ inputs.fail_on }} ]]; then |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| fi | ||
| done < <(jq -r '. | to_entries[] | "\(.key)\t\(.value.severity)\t\(.value.url)"' result.json) | ||
|
|
||
| echo "Found $vulnerability_count vulnerabilities at or above ${{ inputs.fail_on }} severity level" |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| echo "Found $vulnerability_count vulnerabilities at or above ${{ inputs.fail_on }} severity level" | ||
|
|
||
| # Fail if vulnerability count meets or exceeds threshold | ||
| if [[ $vulnerability_count -ge ${{ inputs.fail_on_threshold }} ]]; then |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| echo "Found $vulnerability_count vulnerabilities at or above ${{ inputs.fail_on }} severity level" | ||
|
|
||
| # Fail if vulnerability count meets or exceeds threshold | ||
| if [[ $vulnerability_count -ge ${{ inputs.fail_on_threshold }} ]]; then |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| echo "Found $vulnerability_count vulnerabilities at or above ${{ inputs.fail_on }} severity level" | ||
|
|
||
| # Fail if vulnerability count meets or exceeds threshold | ||
| if [[ $vulnerability_count -ge ${{ inputs.fail_on_threshold }} ]]; then |
Check failure
Code scanning / zizmor
code injection via template expansion Error
|
|
||
| # Fail if vulnerability count meets or exceeds threshold | ||
| if [[ $vulnerability_count -ge ${{ inputs.fail_on_threshold }} ]]; then | ||
| echo "❌ FAIL: Found $vulnerability_count vulnerabilities (threshold: ${{ inputs.fail_on_threshold }})" |
Check failure
Code scanning / zizmor
code injection via template expansion Error
1 participant
No description provided.