951a89823f
* Fix vulnerability build Signed-off-by: strailov <Stanislav.Trailov@bosch.io> * add scans dir before scanning Signed-off-by: strailov <Stanislav.Trailov@bosch.io> --------- Signed-off-by: strailov <Stanislav.Trailov@bosch.io>
151 lines
5.2 KiB
YAML
151 lines
5.2 KiB
YAML
name: Trivy Scan (Reusable Workflow)
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
ref:
|
|
description: 'The branch, tag or SHA to checkout, e.g. master'
|
|
type: string
|
|
default: 'master'
|
|
upload:
|
|
description: 'If to upload the scan results, e.g. true or false'
|
|
type: boolean
|
|
default: false
|
|
|
|
permissions:
|
|
contents: read
|
|
# needed for trivy scans upload
|
|
security-events: write
|
|
|
|
jobs:
|
|
trivy-scan:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v6.0.2
|
|
with:
|
|
ref: ${{ inputs.ref }}
|
|
|
|
- name: Set up JDK
|
|
uses: actions/setup-java@v5.2.0
|
|
with:
|
|
distribution: "temurin"
|
|
java-version: 21
|
|
cache: "maven"
|
|
|
|
- name: Create hawkBit container images
|
|
run: |
|
|
mvn clean install -DskipTests -DskipJavadoc && \
|
|
cd docker/build && \
|
|
chmod +x build_dev.sh && \
|
|
./build_dev.sh && \
|
|
cd ../../..
|
|
|
|
- name: Create scan output directory
|
|
run: mkdir -p scans
|
|
|
|
- name: Scan hawkbit-ddi-server
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
with:
|
|
image-ref: 'hawkbit/hawkbit-ddi-server:latest'
|
|
ignore-unfixed: true
|
|
trivyignores: .github/workflows/.trivyignore
|
|
severity: 'HIGH,CRITICAL'
|
|
vuln-type: 'library'
|
|
format: 'sarif'
|
|
output: 'scans/hawkbit-ddi-server.sarif'
|
|
|
|
- name: Scan hawkbit-dmf-server
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
with:
|
|
image-ref: 'hawkbit/hawkbit-dmf-server:latest'
|
|
ignore-unfixed: true
|
|
trivyignores: .github/workflows/.trivyignore
|
|
severity: 'HIGH,CRITICAL'
|
|
vuln-type: 'library'
|
|
format: 'sarif'
|
|
output: 'scans/hawkbit-dmf-server.sarif'
|
|
|
|
- name: Scan hawkbit-mgmt-server
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
with:
|
|
image-ref: 'hawkbit/hawkbit-mgmt-server:latest'
|
|
ignore-unfixed: true
|
|
trivyignores: .github/workflows/.trivyignore
|
|
severity: 'HIGH,CRITICAL'
|
|
vuln-type: 'library'
|
|
format: 'sarif'
|
|
output: 'scans/hawkbit-mgmt-server.sarif'
|
|
|
|
- name: Scan hawkbit-ui
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
with:
|
|
image-ref: 'hawkbit/hawkbit-ui:latest'
|
|
ignore-unfixed: true
|
|
trivyignores: .github/workflows/.trivyignore
|
|
severity: 'HIGH,CRITICAL'
|
|
vuln-type: 'library'
|
|
format: 'sarif'
|
|
output: 'scans/hawkbit-ui.sarif'
|
|
|
|
- name: Scan hawkbit-update-server
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
with:
|
|
image-ref: 'hawkbit/hawkbit-update-server:latest'
|
|
ignore-unfixed: true
|
|
trivyignores: .github/workflows/.trivyignore
|
|
severity: 'HIGH,CRITICAL'
|
|
vuln-type: 'library'
|
|
format: 'sarif'
|
|
output: 'scans/hawkbit-update-server.sarif'
|
|
|
|
- name: Scan hawkbit-repository-jpa-init
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
with:
|
|
image-ref: 'hawkbit/hawkbit-repository-jpa-init:latest'
|
|
ignore-unfixed: true
|
|
trivyignores: .github/workflows/.trivyignore
|
|
severity: 'HIGH,CRITICAL'
|
|
vuln-type: 'library'
|
|
format: 'sarif'
|
|
output: 'scans/hawkbit-repository-jpa-init.sarif'
|
|
|
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
|
|
if: ${{ inputs.upload }}
|
|
uses: github/codeql-action/upload-sarif@v4.35.1
|
|
with:
|
|
sarif_file: 'scans/hawkbit-ddi-server.sarif'
|
|
category: "Container Images (hawkbit-ddi-server)"
|
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
|
|
if: ${{ inputs.upload }}
|
|
uses: github/codeql-action/upload-sarif@v4.35.1
|
|
with:
|
|
sarif_file: 'scans/hawkbit-dmf-server.sarif'
|
|
category: "Container Images (hawkbit-dmf-server)"
|
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
|
|
if: ${{ inputs.upload }}
|
|
uses: github/codeql-action/upload-sarif@v4.35.1
|
|
with:
|
|
sarif_file: 'scans/hawkbit-mgmt-server.sarif'
|
|
category: "Container Images (hawkbit-mgmt-server)"
|
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ui
|
|
if: ${{ inputs.upload }}
|
|
uses: github/codeql-action/upload-sarif@v4.35.1
|
|
with:
|
|
sarif_file: 'scans/hawkbit-ui.sarif'
|
|
category: "Container Images (hawkbit-ui)"
|
|
|
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-update-server
|
|
if: ${{ inputs.upload }}
|
|
uses: github/codeql-action/upload-sarif@v4.35.1
|
|
with:
|
|
sarif_file: 'scans/hawkbit-update-server.sarif'
|
|
category: "Container Images (hawkbit-update-server)"
|
|
|
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-repository-jpa-init
|
|
if: ${{ inputs.upload }}
|
|
uses: github/codeql-action/upload-sarif@v4.35.1
|
|
with:
|
|
sarif_file: 'scans/hawkbit-repository-jpa-init.sarif'
|
|
category: "Container Images (hawkbit-repository-jpa-init)" |