Skip to content

Commit

Permalink
experimenting with trivy scan
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmguero
mmguero committed Jun 21, 2023
1 parent b9d885c commit 192a077
Show file tree
Hide file tree
Showing 22 changed files with 288 additions and 3 deletions.
13 changes: 13 additions & 0 deletions .github/workflows/api-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/api.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/api:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/api:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/arkime-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,16 @@ jobs:
MAXMIND_GEOIP_DB_LICENSE_KEY=${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/arkime:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/arkime:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/dashboards-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/dashboards.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/dashboards-helper-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/dashboards-helper.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards-helper:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards-helper:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/dirinit-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,16 @@ jobs:
file: ./Dockerfiles/dirinit.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/dirinit:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dirinit:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/file-monitor-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/file-monitor.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/file-monitor:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/file-monitor:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/file-upload-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/file-upload.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/file-upload:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/file-upload:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/filebeat-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/filebeat.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/filebeat-oss:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/filebeat-oss:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/freq-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/freq.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/freq:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/freq:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/htadmin-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/htadmin.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/htadmin:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/htadmin:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/logstash-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/logstash.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/logstash-oss:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/logstash-oss:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
15 changes: 14 additions & 1 deletion .github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,19 @@ jobs:
rm -rf ./shared/
sudo chmod 644 ./malcolm-*.*
popd
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: './malcolm-iso'
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
-
name: ghcr.io login
uses: docker/login-action@v2
Expand All @@ -126,4 +139,4 @@ jobs:
with:
context: ./malcolm-iso
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/malcolm:${{ steps.extract_branch.outputs.branch }}
tags: ghcr.io/${{ github.repository_owner }}/malcolm/malcolm:${{ steps.extract_branch.outputs.branch }}
13 changes: 13 additions & 0 deletions .github/workflows/netbox-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/netbox.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/netbox:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/netbox:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/nginx-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,16 @@ jobs:
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/nginx-proxy:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/nginx-proxy:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/opensearch-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,16 @@ jobs:
file: ./Dockerfiles/opensearch.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/opensearch:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/opensearch:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/pcap-capture-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/pcap-capture.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/pcap-capture:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/pcap-capture:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/pcap-monitor-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/pcap-monitor.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/pcap-monitor:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/pcap-monitor:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/postgresql-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,16 @@ jobs:
file: ./Dockerfiles/postgresql.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/postgresql:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/postgresql:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/redis-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,16 @@ jobs:
file: ./Dockerfiles/redis.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/redis:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/redis:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
16 changes: 14 additions & 2 deletions .github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,19 @@ jobs:
rm -rf ./shared/ ./docs/ ./_config.yml ./_includes ./_layouts /Gemfile ./README.md
sudo chmod 644 ./hedgehog-*.*
popd
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: './sensor-iso'
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
-
name: ghcr.io login
uses: docker/login-action@v2
Expand All @@ -117,4 +129,4 @@ jobs:
with:
context: ./sensor-iso
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog:${{ steps.extract_branch.outputs.branch }}
tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog:${{ steps.extract_branch.outputs.branch }}
13 changes: 13 additions & 0 deletions .github/workflows/suricata-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,16 @@ jobs:
file: ./Dockerfiles/suricata.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/suricata:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/suricata:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'
13 changes: 13 additions & 0 deletions .github/workflows/zeek-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,16 @@ jobs:
file: ./Dockerfiles/zeek.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolm/zeek:${{ steps.extract_branch.outputs.branch }}
-
name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/zeek:${{ steps.extract_branch.outputs.branch }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
hide-progress: true
ignore-unfixed: true
exit-code: '0'

0 comments on commit 192a077

Please sign in to comment.