Introduce GitHub action to execute vulnerability scan using Trivy (#1333)
* Introduce docker maven plugin for hawkbit update server * Introduce GitHub action to execute vulnerability scan using trivy
This commit is contained in:
Michael Herdt
55
.github/workflows/trivy-scan.yml
vendored
Normal file
55
.github/workflows/trivy-scan.yml
vendored
Normal file
@@ -0,0 +1,55 @@
|
||||
name: Vulnerability Scan
|
||||
|
||||
on:
|
||||
schedule:
|
||||
# run every night at 4:00 AM (UTC)
|
||||
- cron: '0 4 * * *'
|
||||
# enable running the workflow manually
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
scan:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Set up Maven
|
||||
uses: stCarolas/setup-maven@v4.5
|
||||
with:
|
||||
maven-version: 3.8.6
|
||||
|
||||
- name: Set up JDK
|
||||
uses: actions/setup-java@v3
|
||||
with:
|
||||
distribution: "adopt"
|
||||
java-version: "11"
|
||||
cache: "maven"
|
||||
|
||||
- name: Create Hawkbit container images
|
||||
run: |
|
||||
mvn clean install -DskipTests -Pdocker
|
||||
|
||||
- name: Determine most recent Trivy version
|
||||
run: |
|
||||
echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
|
||||
grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -
|
||||
|
||||
- name: Scan Docker images
|
||||
run: |
|
||||
mkdir -p scans/eclipse/hawkbit
|
||||
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit-*"); do
|
||||
echo "Scanning image ${IMAGE} ..."
|
||||
./trivy image "${IMAGE}" --ignore-unfixed --severity HIGH,CRITICAL --output "scans/eclipse/hawkbit/$IMAGE.sarif" --format sarif
|
||||
done
|
||||
|
||||
- name: Upload Docker image scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'scans/eclipse/hawkbit'
|
||||
category: "Container Images"
|
||||
@@ -19,6 +19,19 @@
|
||||
<artifactId>hawkbit-update-server</artifactId>
|
||||
<name>hawkBit :: Runtime :: Update Server</name>
|
||||
|
||||
<profiles>
|
||||
<profile>
|
||||
<id>docker</id>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>io.fabric8</groupId>
|
||||
<artifactId>docker-maven-plugin</artifactId>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
</profile>
|
||||
</profiles>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
|
||||
74
pom.xml
74
pom.xml
@@ -168,6 +168,19 @@
|
||||
<!-- ************************ -->
|
||||
<!-- Maven Plugins -->
|
||||
<!-- ************************ -->
|
||||
<!-- Docker image build - START -->
|
||||
<docker.repository.name>${project.artifactId}</docker.repository.name>
|
||||
<docker.host>unix:///var/run/docker.sock</docker.host>
|
||||
<docker.maven.plugin.version>0.40.3</docker.maven.plugin.version>
|
||||
<docker.memory.size>-Xms600m -Xmx600m -XX:MaxMetaspaceSize=250m -XX:MetaspaceSize=250m -Xss300K
|
||||
</docker.memory.size>
|
||||
<docker.base.image.platform>linux/amd64</docker.base.image.platform>
|
||||
<docker.gc.settings>-XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops</docker.gc.settings>
|
||||
<docker.jvm.args>${docker.memory.size} ${docker.gc.settings} -XX:+HeapDumpOnOutOfMemoryError
|
||||
-XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom
|
||||
</docker.jvm.args>
|
||||
<docker.jre.version>11.0.15_10-jre-alpine</docker.jre.version>
|
||||
<!-- Docker image build - END -->
|
||||
<maven.processor.plugin.version>3.3.3</maven.processor.plugin.version>
|
||||
<maven.scm.plugin.version>1.11.1</maven.scm.plugin.version>
|
||||
<maven.site.plugin.version>3.9.1</maven.site.plugin.version>
|
||||
@@ -329,6 +342,67 @@
|
||||
|
||||
<pluginManagement>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>io.fabric8</groupId>
|
||||
<artifactId>docker-maven-plugin</artifactId>
|
||||
<version>${docker.maven.plugin.version}</version>
|
||||
<configuration>
|
||||
<verbose>true</verbose>
|
||||
<dockerHost>${docker.host}</dockerHost>
|
||||
<images>
|
||||
<image>
|
||||
<alias>${docker.repository.name}</alias>
|
||||
<name>
|
||||
${docker.repository.name}:${project.version}
|
||||
</name>
|
||||
<build>
|
||||
<from>eclipse-temurin:${docker.jre.version}</from>
|
||||
<createImageOptions>
|
||||
<platform>${docker.base.image.platform}</platform>
|
||||
</createImageOptions>
|
||||
<tags>
|
||||
<tag>latest</tag>
|
||||
</tags>
|
||||
<env>
|
||||
<SPRING_PROFILES_ACTIVE>docker</SPRING_PROFILES_ACTIVE>
|
||||
<JAVA_OPTS>${docker.jvm.args}</JAVA_OPTS>
|
||||
</env>
|
||||
<ports>
|
||||
<port>8080</port>
|
||||
</ports>
|
||||
<assembly>
|
||||
<inline>
|
||||
<fileSets>
|
||||
<fileSet>
|
||||
<directory>target</directory>
|
||||
<outputDirectory>.</outputDirectory>
|
||||
<includes>
|
||||
<include>${project.build.finalName}.jar</include>
|
||||
</includes>
|
||||
<fileMode>0644</fileMode>
|
||||
<directoryMode>0755</directoryMode>
|
||||
<filtered>false</filtered>
|
||||
</fileSet>
|
||||
</fileSets>
|
||||
</inline>
|
||||
</assembly>
|
||||
<entryPoint>
|
||||
<shell>java $JAVA_OPTS -jar maven/${project.build.finalName}.jar</shell>
|
||||
</entryPoint>
|
||||
</build>
|
||||
</image>
|
||||
</images>
|
||||
</configuration>
|
||||
<executions>
|
||||
<execution>
|
||||
<phase>package</phase>
|
||||
<goals>
|
||||
<goal>remove</goal>
|
||||
<goal>build</goal>
|
||||
</goals>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
|
||||
Reference in New Issue
Block a user