From ca8b9ed735b65849ab1ae059adce9507dcb55d23 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Fri, 1 Nov 2024 16:58:01 +0000 Subject: [PATCH] ci: replace trivy scan action with one in Flagsmith/actions repo (#4766) --- .github/actions/trivy-scan-image/action.yml | 77 ------------------- .github/workflows/.reusable-docker-build.yml | 2 +- .../workflows/platform-docker-trivy-scan.yml | 2 +- 3 files changed, 2 insertions(+), 79 deletions(-) delete mode 100644 .github/actions/trivy-scan-image/action.yml diff --git a/.github/actions/trivy-scan-image/action.yml b/.github/actions/trivy-scan-image/action.yml deleted file mode 100644 index 81c7fae5ca55..000000000000 --- a/.github/actions/trivy-scan-image/action.yml +++ /dev/null @@ -1,77 +0,0 @@ -# Required permissions: -# contents: read -# security-events: write - -name: Run Trivy vulnerability scanner -description: Run Trivy vulnerability scanner on an image and upload the results - -inputs: - image-tag: - description: Full image ref (e.g. `ghcr.io/flagsmith/flagsmith:main`). - required: true - category: - description: CodeQL category (usually image name, e.g. `flagsmith-api`). - required: true - query: - description: CodeQL query (used for report URLs). - required: false - trivy-username: - description: TRIVY_USERNAME value. - required: false - trivy-password: - description: TRIVY_PASSWORD value. - required: false - trivy-db-repository: - description: TRIVY_DB_REPOSITORY value. - required: false - trivy-java-db-repository: - description: TRIVY_JAVA_DB_REPOSITORY value. - required: false - -outputs: - scan-results-url: - description: URL to scan results in Github Security tab - value: ${{ steps.scan-results-url.outputs.scan-results-url }} - scan-outcome: - description: Scan outcome - value: ${{ steps.trivy.outcome }} - -runs: - using: composite - - steps: - - name: Checkout trivy.yaml - uses: actions/checkout@v4 - with: - sparse-checkout: | - trivy.yaml - .github* - sparse-checkout-cone-mode: false - - - name: Run Trivy on ${{ inputs.image-tag }} - id: trivy - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ inputs.image-tag }} - format: sarif - output: trivy-results.sarif - env: - TRIVY_USERNAME: ${{ inputs.trivy-username }} - TRIVY_PASSWORD: ${{ inputs.trivy-password }} - TRIVY_DB_REPOSITORY: ${{ inputs.trivy-db-repository }} - TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-java-db-repository }} - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: success() || failure() - with: - category: ${{ inputs.category }} - sarif_file: trivy-results.sarif - - - name: Render scan results URL - if: success() || failure() - id: scan-results-url - run: > - echo scan-results-url=${{ format('{0}/{1}/security/code-scanning?query=is:open+tool:Trivy+{2}', - github.server_url, github.repository, inputs.query) }} >> $GITHUB_OUTPUT - shell: bash diff --git a/.github/workflows/.reusable-docker-build.yml b/.github/workflows/.reusable-docker-build.yml index 806cf977045b..79fab6131f45 100644 --- a/.github/workflows/.reusable-docker-build.yml +++ b/.github/workflows/.reusable-docker-build.yml @@ -148,7 +148,7 @@ jobs: - name: Scan ${{ steps.image-tag.outputs.image-tag }} image id: trivy - uses: ./.github/actions/trivy-scan-image + uses: Flagsmith/actions/trivy-scan-image@v0.3.0 if: inputs.scan with: image-tag: ${{ steps.image-tag.outputs.image-tag }} diff --git a/.github/workflows/platform-docker-trivy-scan.yml b/.github/workflows/platform-docker-trivy-scan.yml index 9c3ac1391eb6..8a42647ed5fd 100644 --- a/.github/workflows/platform-docker-trivy-scan.yml +++ b/.github/workflows/platform-docker-trivy-scan.yml @@ -101,7 +101,7 @@ jobs: - name: Scan ${{ matrix.image-name }}:main image id: trivy - uses: ./.github/actions/trivy-scan-image + uses: Flagsmith/actions/trivy-scan-image@v0.3.0 with: image-tag: ${{ env.REGISTRY_URL }}/flagsmith/${{ matrix.image-name }}:main category: ${{ matrix.image-name }}