Octovy is a GitHub App that scans your repository's code for potentially vulnerable dependencies. It utilizes trivy to detect software vulnerabilities. When triggered by events like push
and pull_request
from GitHub, Octovy scans the repository for dependency vulnerabilities and performs the following actions:
- Adds a comment to the pull request, summarizing the vulnerabilities found
- Inserts the scan results into BigQuery
Octovy adds a comment to the pull request when it detects new vulnerabilities between the head of the PR and the merge destination.
Start by creating a GitHub App here. You can use any name and description you like. However, ensure you set the following configurations:
-
General
- Webhook URL:
https://<your domain>/webhook/github
- Webhook secret: A string of your choosing (e.g.
mysecret_XOIJPOIFEA
)
- Webhook URL:
-
Permissions & events
- Repository Permissions
- Checks: Set to Read & Write
- Contents: Set to Read-only
- Metadata: Set to Read-only
- Pull Requests: Set to Read & Write
- Subscribe to events
- Pull request
- Push
- Repository Permissions
Once you have completed the setup, make sure to take note of the following information from the General section for future reference:
- App ID (e.g.
123456
) - Private Key: Click
Generate a private key
and download the key file (e.g.your-app-name.2023-08-14.private-key.pem
)
- Cloud Storage: Create a Cloud Storage bucket dedicated to storing the scan results exclusively for Octovy's use.
- BigQuery (Optional): Create a BigQuery dataset and table for storing the scan results. Octovy will automatically update the schema. The default table name should be
scans
.
The recommended method of deploying Octovy is via a container image, available at ghcr.io/m-mizutani/octovy
. This image is built using GitHub Actions and published to the GitHub Container Registry.
To run Octovy, set the following environment variables:
OCTOVY_ADDR
: The address to bind the server to (e.g.:8080
)OCTOVY_GITHUB_APP_ID
: The GitHub App IDOCTOVY_GITHUB_APP_PRIVATE_KEY
: The path to the private key fileOCTOVY_GITHUB_APP_SECRET
: The secret string used to verify the webhook request from GitHubOCTOVY_CLOUD_STORAGE_BUCKET
: The name of the Cloud Storage bucket
OCTOVY_TRIVY_PATH
: The path to the trivy binary. If you uses the our container image, you don't need to set this variable.OCTOVY_CLOUD_STORAGE_PREFIX
: The prefix for the Cloud Storage objectOCTOVY_BIGQUERY_PROJECT_ID
: The name of the BigQuery datasetOCTOVY_BIGQUERY_DATASET_ID
: The name of the BigQuery tableOCTOVY_BIGQUERY_TABLE_ID
: The name of the BigQuery tableOCTOVY_BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT
: The service account to impersonate when accessing BigQueryOCTOVY_SENTRY_DSN
: The DSN for SentryOCTOVY_SENTRY_ENV
: The environment for Sentry
The developer can ignore specific vulnerabilities by adding them to the ignore list. The config file is written in CUE. See CUE definition in pkg/domain/model/schema/ignore.cue.
The config file should be placed in .octovy
directory at the root of the repository. Octovy checks all files in the .octovy
directory recursively and loads them. (e.g. .octovy/ignore.cue
)
The following is an example of the ignore list configuration:
package octovy
IgnoreList: [
{
Target: "Gemfile.lock"
Vulns: [
{
ID: "CVE-2020-8130"
ExpiresAt: "2024-08-01T00:00:00Z"
Comment: "This is not used"
},
]
},
]
package
name should be octovy
. IgnoreList
is a list of Ignore
struct.
Target
is the file path to ignore. That should be matchedTarget
of trivyVulns
is a list ofIgnoreVuln
struct.ID
(required): the vulnerability ID to ignore. (e.g.CVE-2022-2202
)ExpiresAt
(required): The expiration date of the ignore. It should be in RFC3339 format. (e.g.2023-08-01T00:00:00
). The date must be in 90 days and if it's over 90 days, Octovy will ignore it.Comment
(optional): The developer's comment
Octovy is licensed under the Apache License 2.0. Copyright 2023 Masayoshi Mizutani mizutani@hey.com