diff --git a/.github/workflows/nightly-security-scan.yml b/.github/workflows/nightly-security-scan.yml index e2894671..4763fd1e 100644 --- a/.github/workflows/nightly-security-scan.yml +++ b/.github/workflows/nightly-security-scan.yml @@ -64,7 +64,8 @@ jobs: if: >- github.ref == 'refs/heads/develop' outputs: - image: ${{ steps.set-matrix.outputs.image_result }} + imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }} + imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }} steps: - name: scan vulnerabilities by Trivy uses: docker://docker.io/aquasec/trivy:latest @@ -72,27 +73,59 @@ jobs: with: args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/agent:develop - - name: upload image security scan result as artifact + - name: upload Trivy image security scan result as artifact uses: actions/upload-artifact@v3 with: name: image-security-scan-develop-result path: image-trivy.json - - name: develop scan report export to html + - name: develop Trivy scan report export to html run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-result") + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result") - - name: upload html file as artifact + - name: upload html file as Trivy artifact uses: actions/upload-artifact@v3 with: name: html-image-result-${{github.run_id}} - path: image-result.html + path: image-trivy-result.html - - name: analyse vulnerabilities - id: set-matrix + - name: analyse vulnerabilities from Trivy + id: set-trivy-matrix run: | result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix) - echo "image_result=${result}" >> $GITHUB_OUTPUT + echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT + + - name: scan vulnerabilities by Docker Scout + uses: docker/scout-action@v1 + continue-on-error: true + with: + command: cves + image: portainerci/agent:develop + sarif-file: image-docker-scout.json + dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }} + dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + - name: upload Docker Scout image security scan result as artifact + uses: actions/upload-artifact@v3 + with: + name: image-security-scan-develop-result + path: image-docker-scout.json + + - name: develop Docker Scout scan report export to html + run: | + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result") + + - name: upload html file as Docker Scout artifact + uses: actions/upload-artifact@v3 + with: + name: html-image-result-${{github.run_id}} + path: image-docker-scout-result.html + + - name: analyse vulnerabilities from Docker Scout + id: set-docker-scout-matrix + run: | + result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix) + echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT result-analysis: name: Analyse Scan Results @@ -103,19 +136,23 @@ jobs: strategy: matrix: go: ${{fromJson(needs.server-dependencies.outputs.go)}} - image: ${{fromJson(needs.image-vulnerability.outputs.image)}} + image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}} + image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}} steps: - name: display the results of Go and image scan run: | echo "${{ matrix.go.status }}" - echo "${{ matrix.image.status }}" + echo "${{ matrix.image-trivy.status }}" + echo "${{ matrix.image-docker-scout.status }}" echo "${{ matrix.go.summary }}" - echo "${{ matrix.image.summary }}" + echo "${{ matrix.image-trivy.summary }}" + echo "${{ matrix.image-docker-scout.summary }}" - name: send message to Slack if: >- matrix.go.status == 'failure' || - matrix.image.status == 'failure' + matrix.image-trivy.status == 'failure' || + matrix.image-docker-scout.status == 'failure' uses: slackapi/slack-github-action@v1.23.0 with: payload: | @@ -144,7 +181,14 @@ jobs: "type": "section", "text": { "type": "mrkdwn", - "text": "*Image vulnerability check*: *${{ matrix.image.status }}*\n${{ matrix.image.summary }}\n" + "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n" } } ] diff --git a/.github/workflows/pr-security.yml b/.github/workflows/pr-security.yml index 9c870875..fe124188 100644 --- a/.github/workflows/pr-security.yml +++ b/.github/workflows/pr-security.yml @@ -85,7 +85,8 @@ jobs: github.event.pull_request && github.event.review.body == '/scan' outputs: - imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }} + imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }} + imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }} steps: - name: checkout code uses: actions/checkout@master @@ -122,13 +123,13 @@ jobs: with: args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainer-agent:${{ github.sha }} - - name: upload image security scan result as artifact + - name: upload Trivy image security scan result as artifact uses: actions/upload-artifact@v3 with: name: image-security-scan-feature-result path: image-trivy.json - - name: download artifacts from develop branch built by nightly scan + - name: download Trivy artifacts from develop branch built by nightly scan env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -140,21 +141,65 @@ jobs: echo "null" > ./image-trivy-develop.json fi - - name: pr vs develop scan report comparison export to html + - name: pr vs develop Trivy scan report comparison export to html run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result") + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result") - - name: upload html file as artifact + - name: upload html file as Trivy artifact uses: actions/upload-artifact@v3 with: name: html-image-result-compare-to-develop-${{github.run_id}} - path: image-result.html + path: image-trivy-result.html - - name: analyse different vulnerabilities against develop branch - id: set-diff-matrix + - name: analyse different vulnerabilities against develop branch by Trivy + id: set-diff-trivy-matrix run: | result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix) - echo "image_diff_result=${result}" >> $GITHUB_OUTPUT + echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT + + - name: scan vulnerabilities by Docker Scout + uses: docker/scout-action@v1 + continue-on-error: true + with: + command: cves + image: portainer-agent:${{ github.sha }} + sarif-file: image-docker-scout.json + dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }} + dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + - name: upload Docker Scout image security scan result as artifact + uses: actions/upload-artifact@v3 + with: + name: image-security-scan-feature-result + path: image-docker-scout.json + + - name: download Docker Scout artifacts from develop branch built by nightly scan + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + mv ./image-docker-scout.json ./image-docker-scout-feature.json + (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || : + if [[ -e ./image-docker-scout.json ]]; then + mv ./image-docker-scout.json ./image-docker-scout-develop.json + else + echo "null" > ./image-docker-scout-develop.json + fi + + - name: pr vs develop Docker Scout scan report comparison export to html + run: | + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result") + + - name: upload html file as Docker Scout artifact + uses: actions/upload-artifact@v3 + with: + name: html-image-result-compare-to-develop-${{github.run_id}} + path: image-docker-scout-result.html + + - name: analyse different vulnerabilities against develop branch by Docker Scout + id: set-diff-docker-scout-matrix + run: | + result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix) + echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT result-analysis: name: Analyse Scan Result Against develop Branch @@ -166,15 +211,19 @@ jobs: strategy: matrix: godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}} - imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}} + imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}} + imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}} steps: - name: check job status of diff result if: >- matrix.godiff.status == 'failure' || - matrix.imagediff.status == 'failure' + matrix.imagediff-trivy.status == 'failure' || + matrix.imagediff-docker-scout.status == 'failure' run: | echo "${{ matrix.godiff.status }}" - echo "${{ matrix.imagediff.status }}" + echo "${{ matrix.imagediff-trivy.status }}" + echo "${{ matrix.imagediff-docker-scout.status }}" echo "${{ matrix.godiff.summary }}" - echo "${{ matrix.imagediff.summary }}" + echo "${{ matrix.imagediff-trivy.summary }}" + echo "${{ matrix.imagediff-docker-scout.summary }}" exit 1