Skip to content

Commit

Permalink
feat(containers): generate and attest trivy SBOM (#52)
Browse files Browse the repository at this point in the history 
Also introduces using new trivy convert command to reduce scanning overhead
  • Loading branch information
@hairmare
hairmare authored Jul 9, 2023
1 parent 3120679 commit ac15644
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 22 deletions.
52 changes: 41 additions & 11 deletions .github/workflows/release-container.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,19 +122,32 @@ jobs:
env:
DOCKER_CONTENT_TRUST: 1

- name: Run Trivy vulnerability scanner (sarif)
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: '${{ inputs.image }}:${{ steps.meta.outputs.version }}'
format: 'sarif'
format: 'json'
ignore-unfixed: true
output: 'trivy-results.sarif'
list-all-pkgs: true
output: 'trivy.json'

- name: Convert trivy results to sarif
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: trivy.json
scan-type: 'convert'
format: 'sarif'
# we don't actually limit them, but this gates the convert action
limit-severities-for-sarif: true
# empty makes it skip the --vuln-type arg
vuln-type: ''
output: 'trivy.sarif'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
sarif_file: 'trivy.sarif'

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
Expand Down Expand Up @@ -166,17 +179,34 @@ jobs:
env:
TAGS: ${{ steps.meta.outputs.tags }}

# see https://github.com/aquasecurity/trivy/issues/3243 for why we run it twice
# we create a vuln.jsn if we also plan on uploading it as attestation
- name: Run Trivy vulnerability scanner (cosign-vuln)
- name: Convert trivy results to CycloneDX
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: trivy.json
scan-type: 'convert'
format: 'cyclonedx'
# we don't actually limit them, but this gates the convert action
limit-severities-for-sarif: true
# empty makes it skip the --vuln-type arg
vuln-type: ''
output: 'trivy.cdx'

- name: Attach an SBOM attestation to the signed image
run: cosign attest --yes --type cyclonedx --predicate trivy.cdx ${{ inputs.image }}@${{ steps.docker_push.outputs.digest }}
if: github.event_name != 'pull_request' && startsWith(github.event.ref, 'refs/tags/v')

- name: Convert trivy results to cosign-vuln
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: '${{ inputs.image }}:${{ steps.meta.outputs.version }}'
image-ref: trivy.json
scan-type: 'convert'
format: 'cosign-vuln'
ignore-unfixed: true
output: 'vuln.json'
# we don't actually limit them, but this gates the convert action
limit-severities-for-sarif: true
# empty makes it skip the --vuln-type arg
vuln-type: ''
output: 'trivy.cosign.json'

- name: Attach a security attestation to the signed image
run: cosign attest --yes --type vuln --predicate vuln.json ${{ inputs.image }}@${{ steps.docker_push.outputs.digest }}
run: cosign attest --yes --type vuln --predicate trivy.cosign.json ${{ inputs.image }}@${{ steps.docker_push.outputs.digest }}
if: github.event_name != 'pull_request' && startsWith(github.event.ref, 'refs/tags/v')
37 changes: 26 additions & 11 deletions .github/workflows/schedule-trivy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,31 +34,46 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@v3.1.1

- name: Run Trivy vulnerability scanner (sarif)
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: ${{ inputs.image-ref }}
timeout: ${{ inputs.timeout }}
format: 'sarif'
format: 'json'
ignore-unfixed: true
list-all-pkgs: true
scanners: 'vuln'
output: 'trivy-results.sarif'
output: 'trivy.json'

- name: Convert trivy results to sarif
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: trivy.json
scan-type: 'convert'
format: 'sarif'
# we don't actually limit them, but this gates the convert action
limit-severities-for-sarif: true
# empty makes it skip the --vuln-type arg
vuln-type: ''
output: 'trivy.sarif'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
sarif_file: 'trivy.sarif'

# see https://github.com/aquasecurity/trivy/issues/3243 for why we run it twice
# we create a vuln.jsn if we also plan on uploading it as attestation
- name: Run Trivy vulnerability scanner (cosign-vuln)
- name: Convert trivy results to cosign-vuln
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: 'ghcr.io/radiorabe/ubi9-minimal:${{ steps.meta.outputs.version }}'
image-ref: trivy.json
scan-type: 'convert'
format: 'cosign-vuln'
ignore-unfixed: true
output: 'vuln.json'
# we don't actually limit them, but this gates the convert action
limit-severities-for-sarif: true
# empty makes it skip the --vuln-type arg
vuln-type: ''
output: 'trivy.cosign.json'

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
Expand All @@ -68,4 +83,4 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}

- name: Attach a security attestation to the signed image
run: cosign attest --yes --type vuln --predicate vuln.json ${{ inputs.image-ref }}
run: cosign attest --yes --type vuln --predicate trivy.cosign.json ${{ inputs.image-ref }}
3 changes: 3 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,9 @@ jobs:
8. Pass `--base-image-only` to cosign if you are copying binaries from a
source image that isn't signed with cosign.

As a last step, it is recommended to add `trivy.*` to both your `.gitignore`
and `.dockerignore` files so trivy can't interfere with multi-stage builds.

#### Container: Schedule

To scan the latest container image with trivy at regular intervals, create this `.github/workflows/schedule.yaml`:
Expand Down

0 comments on commit ac15644

Please sign in to comment.