lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Introduce GitHub action to execute vulnerability scan using Trivy (#1333)

Browse Source 
* Introduce docker maven plugin for hawkbit update server
* Introduce GitHub action to execute vulnerability scan using trivy
This commit is contained in:
Michael Herdt
2023-03-28 07:42:04 +02:00
committed by GitHub
parent 4a3a79aa6b
commit 6f854afdae
3 changed files with 142 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
.github/workflows/trivy-scan.yml vendored Normal file
View File

@@ -0,0 +1,55 @@
name: Vulnerability Scan
on:
schedule:
# run every night at 4:00 AM (UTC)
- cron: '0 4 * * *'
# enable running the workflow manually
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Maven
uses: stCarolas/setup-maven@v4.5
with:
maven-version: 3.8.6
- name: Set up JDK
uses: actions/setup-java@v3
with:
distribution: "adopt"
java-version: "11"
cache: "maven"
- name: Create Hawkbit container images
run: |
mvn clean install -DskipTests -Pdocker
- name: Determine most recent Trivy version
run: |
echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV
- name: Install Trivy
run: |
wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -
- name: Scan Docker images
run: |
mkdir -p scans/eclipse/hawkbit
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit-*"); do
echo "Scanning image ${IMAGE} ..."
./trivy image "${IMAGE}" --ignore-unfixed --severity HIGH,CRITICAL --output "scans/eclipse/hawkbit/$IMAGE.sarif" --format sarif
done
- name: Upload Docker image scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'scans/eclipse/hawkbit'
category: "Container Images"

13
hawkbit-runtime/hawkbit-update-server/pom.xml
View File

@@ -19,6 +19,19 @@
<artifactId>hawkbit-update-server</artifactId> <artifactId>hawkbit-update-server</artifactId>
<name>hawkBit :: Runtime :: Update Server</name> <name>hawkBit :: Runtime :: Update Server</name>
<profiles>
<profile>
<id>docker</id>
<build>
<plugins>
<plugin>
<groupId>io.fabric8</groupId>
<artifactId>docker-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</profile>
</profiles>
<build> <build>
<plugins> <plugins>
<plugin> <plugin>

74
pom.xml
View File

@@ -168,6 +168,19 @@
<!-- ************************ --> <!-- ************************ -->
<!-- Maven Plugins --> <!-- Maven Plugins -->
<!-- ************************ --> <!-- ************************ -->
<!-- Docker image build - START -->
<docker.repository.name>${project.artifactId}</docker.repository.name>
<docker.host>unix:///var/run/docker.sock</docker.host>
<docker.maven.plugin.version>0.40.3</docker.maven.plugin.version>
<docker.memory.size>-Xms600m -Xmx600m -XX:MaxMetaspaceSize=250m -XX:MetaspaceSize=250m -Xss300K
</docker.memory.size>
<docker.base.image.platform>linux/amd64</docker.base.image.platform>
<docker.gc.settings>-XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops</docker.gc.settings>
<docker.jvm.args>${docker.memory.size} ${docker.gc.settings} -XX:+HeapDumpOnOutOfMemoryError
-XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom
</docker.jvm.args>
<docker.jre.version>11.0.15_10-jre-alpine</docker.jre.version>
<!-- Docker image build - END -->
<maven.processor.plugin.version>3.3.3</maven.processor.plugin.version> <maven.processor.plugin.version>3.3.3</maven.processor.plugin.version>
<maven.scm.plugin.version>1.11.1</maven.scm.plugin.version> <maven.scm.plugin.version>1.11.1</maven.scm.plugin.version>
<maven.site.plugin.version>3.9.1</maven.site.plugin.version> <maven.site.plugin.version>3.9.1</maven.site.plugin.version>
@@ -329,6 +342,67 @@
<pluginManagement> <pluginManagement>
<plugins> <plugins>
<plugin>
<groupId>io.fabric8</groupId>
<artifactId>docker-maven-plugin</artifactId>
<version>${docker.maven.plugin.version}</version>
<configuration>
<verbose>true</verbose>
<dockerHost>${docker.host}</dockerHost>
<images>
<image>
<alias>${docker.repository.name}</alias>
<name>
${docker.repository.name}:${project.version}
</name>
<build>
<from>eclipse-temurin:${docker.jre.version}</from>
<createImageOptions>
<platform>${docker.base.image.platform}</platform>
</createImageOptions>
<tags>
<tag>latest</tag>
</tags>
<env>
<SPRING_PROFILES_ACTIVE>docker</SPRING_PROFILES_ACTIVE>
<JAVA_OPTS>${docker.jvm.args}</JAVA_OPTS>
</env>
<ports>
<port>8080</port>
</ports>
<assembly>
<inline>
<fileSets>
<fileSet>
<directory>target</directory>
<outputDirectory>.</outputDirectory>
<includes>
<include>${project.build.finalName}.jar</include>
</includes>
<fileMode>0644</fileMode>
<directoryMode>0755</directoryMode>
<filtered>false</filtered>
</fileSet>
</fileSets>
</inline>
</assembly>
<entryPoint>
<shell>java $JAVA_OPTS -jar maven/${project.build.finalName}.jar</shell>
</entryPoint>
</build>
</image>
</images>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>remove</goal>
<goal>build</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId> <artifactId>maven-javadoc-plugin</artifactId>