lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Migrate trivy scan to trivy-action (#2992)

Browse Source 
* Migrate trivy scan to trivy-action

* Revert to hard versions approach, but not only with major ref

Signed-off-by: strailov <Stanislav.Trailov@bosch.io>

---------

Signed-off-by: strailov <Stanislav.Trailov@bosch.io>
This commit is contained in:
Stanislav Trailov
2026-04-03 10:44:46 +03:00
committed by GitHub
parent 0e13ef6e5d
commit 273abebf9b
9 changed files with 97 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/first-interaction.yaml vendored
View File

@@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/first-interaction@v3 - uses: actions/first-interaction@v3.1.0
with: with:
repo_token: ${{ secrets.PAT_SECRET }} repo_token: ${{ secrets.PAT_SECRET }}
issue_message: |- issue_message: |-

4
.github/workflows/release.yaml vendored
View File

@@ -92,7 +92,7 @@ jobs:
- 5672:5672 - 5672:5672
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6.0.2
with: with:
ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }} ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
@@ -109,7 +109,7 @@ jobs:
gpg-passphrase: MAVEN_GPG_PASSPHRASE gpg-passphrase: MAVEN_GPG_PASSPHRASE
- name: Cache local Maven repository - name: Cache local Maven repository
uses: actions/cache@v5 uses: actions/cache@v5.0.4
with: with:
path: ~/.m2/repository path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

4
.github/workflows/release_docker.yaml vendored
View File

@@ -21,7 +21,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6.0.2
- name: "Release ${{ inputs.revision }}" - name: "Release ${{ inputs.revision }}"
run: echo "Releasing ${{ inputs.revision }}" run: echo "Releasing ${{ inputs.revision }}"
@@ -57,7 +57,7 @@ jobs:
done done
- name: Log into Docker Hub - name: Log into Docker Hub
uses: docker/login-action@v4 uses: docker/login-action@v4.0.0
with: with:
username: ${{ vars.DOCKERHUB_USERNAME }} username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}

6
.github/workflows/reusable_workflow_license-scan.yaml vendored
View File

@@ -24,19 +24,19 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6.0.2
with: with:
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
- name: Set up JDK & Maven Central credentials - name: Set up JDK & Maven Central credentials
uses: actions/setup-java@v5 uses: actions/setup-java@v5.2.0
with: with:
distribution: 'temurin' distribution: 'temurin'
java-version: 21 java-version: 21
cache: 'maven' cache: 'maven'
- name: Cache local Maven repository - name: Cache local Maven repository
uses: actions/cache@v5 uses: actions/cache@v5.0.4
with: with:
path: ~/.m2/repository path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

2
.github/workflows/reusable_workflow_tag.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6.0.2
# should work with actions/checkout@v6 with fetch-tags: true, BUT it doesn't work as expected! # should work with actions/checkout@v6 with fetch-tags: true, BUT it doesn't work as expected!
# See https://github.com/actions/checkout/issues/1471. # See https://github.com/actions/checkout/issues/1471.

118
.github/workflows/reusable_workflow_trivy-scan.yaml vendored
View File

@@ -23,12 +23,12 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v6 uses: aquasecurity/trivy-action@v0.35.0
with: with:
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
- name: Set up JDK - name: Set up JDK
uses: actions/setup-java@v5 uses: actions/setup-java@v5.2.0
with: with:
distribution: "temurin" distribution: "temurin"
java-version: 21 java-version: 21
@@ -42,61 +42,107 @@ jobs:
./build_dev.sh && \ ./build_dev.sh && \
cd ../../.. cd ../../..
- name: Determine most recent Trivy version - name: Scan hawkbit-ddi-server
run: | uses: aquasecurity/trivy-action@v0.35.0
echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \ with:
grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV image-ref: 'hawkbit/hawkbit-ddi-server:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-ddi-server.sarif'
- name: Install Trivy - name: Scan hawkbit-dmf-server
run: | uses: aquasecurity/trivy-action@v0.35.0
wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf - with:
image-ref: 'hawkbit/hawkbit-dmf-server:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-dmf-server.sarif'
- name: Scan Docker images - name: Scan hawkbit-mgmt-server
run: | uses: aquasecurity/trivy-action@v0.35.0
mkdir -p scans/eclipse-hawkbit/hawkbit with:
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do image-ref: 'hawkbit/hawkbit-mgmt-server:latest'
echo "Scanning image ${IMAGE} ..." ignore-unfixed: true
./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif trivyignores: .github/workflows/.trivyignore
done severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-mgmt-server.sarif'
- name: Check if to upload scan results - name: Scan hawkbit-ui
run: | uses: aquasecurity/trivy-action@v0.35.0
if [ "${{ inputs.upload }}" = "true" ]; then with:
echo "Uploading scan results..." image-ref: 'hawkbit/hawkbit-ui:latest'
else ignore-unfixed: true
echo "Skipping upload of scan results." trivyignores: .github/workflows/.trivyignore
exit 0 severity: 'HIGH,CRITICAL'
fi vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-ui.sarif'
- name: Scan hawkbit-update-server
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: 'hawkbit/hawkbit-update-server:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-update-server.sarif'
- name: Scan hawkbit-repository-jpa-init
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: 'hawkbit/hawkbit-repository-jpa-init:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-repository-jpa-init.sarif'
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
uses: github/codeql-action/upload-sarif@v4 if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with: with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif' sarif_file: 'scans/hawkbit-ddi-server.sarif'
category: "Container Images (hawkbit-ddi-server)" category: "Container Images (hawkbit-ddi-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
uses: github/codeql-action/upload-sarif@v4 if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with: with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif' sarif_file: 'scans/hawkbit-dmf-server.sarif'
category: "Container Images (hawkbit-dmf-server)" category: "Container Images (hawkbit-dmf-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
uses: github/codeql-action/upload-sarif@v4 if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with: with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif' sarif_file: 'scans/hawkbit-mgmt-server.sarif'
category: "Container Images (hawkbit-mgmt-server)" category: "Container Images (hawkbit-mgmt-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ui - name: Upload Docker image scan results to GitHub Security tab hawkbit-ui
uses: github/codeql-action/upload-sarif@v4 if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with: with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ui:latest.sarif' sarif_file: 'scans/hawkbit-ui.sarif'
category: "Container Images (hawkbit-ui)" category: "Container Images (hawkbit-ui)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-update-server - name: Upload Docker image scan results to GitHub Security tab hawkbit-update-server
uses: github/codeql-action/upload-sarif@v4 if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with: with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif' sarif_file: 'scans/hawkbit-update-server.sarif'
category: "Container Images (hawkbit-update-server)" category: "Container Images (hawkbit-update-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-repository-jpa-init - name: Upload Docker image scan results to GitHub Security tab hawkbit-repository-jpa-init
uses: github/codeql-action/upload-sarif@v4 if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with: with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif' sarif_file: 'scans/hawkbit-repository-jpa-init.sarif'
category: "Container Images (hawkbit-repository-jpa-init)" category: "Container Images (hawkbit-repository-jpa-init)"

6
.github/workflows/reusable_workflow_verify.yaml vendored
View File

@@ -41,20 +41,20 @@ jobs:
echo "Ref: ${{ inputs.ref }}," echo "Ref: ${{ inputs.ref }},"
echo "Maven Properties: ${{ inputs.maven_properties }}" echo "Maven Properties: ${{ inputs.maven_properties }}"
- uses: actions/checkout@v6 - uses: actions/checkout@v6.0.2
with: with:
repository: ${{ inputs.repository }} repository: ${{ inputs.repository }}
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
- name: Set up JDK - name: Set up JDK
uses: actions/setup-java@v5 uses: actions/setup-java@v5.2.0
with: with:
distribution: 'temurin' distribution: 'temurin'
java-version: 21 java-version: 21
cache: 'maven' cache: 'maven'
- name: Cache local Maven repository - name: Cache local Maven repository
uses: actions/cache@v5 uses: actions/cache@v5.0.4
with: with:
path: ~/.m2/repository path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

2
.github/workflows/stale.yaml vendored
View File

@@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/stale@v10 - uses: actions/stale@v10.2.0
with: with:
repo-token: ${{ secrets.PAT_SECRET }} repo-token: ${{ secrets.PAT_SECRET }}
# disables automatic marking of issues as stale # disables automatic marking of issues as stale

4
.github/workflows/style_check.yaml vendored
View File

@@ -16,13 +16,13 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6.0.2
with: with:
repository: ${{ inputs.repository }} repository: ${{ inputs.repository }}
ref: ${{ inputs.ref }} ref: ${{ inputs.ref }}
- name: Set up JDK - name: Set up JDK
uses: actions/setup-java@v5 uses: actions/setup-java@v5.2.0
with: with:
distribution: 'temurin' distribution: 'temurin'
java-version: 21 java-version: 21