From ad29083515fd9514d7f01fad9dfecdb3a24e8dd9 Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Thu, 24 Oct 2024 15:47:37 +0200 Subject: [PATCH 01/32] Add research-vuln-scan workflow --- .github/workflows/research-vuln-scan.yml | 92 ++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 .github/workflows/research-vuln-scan.yml diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml new file mode 100644 index 0000000..206842e --- /dev/null +++ b/.github/workflows/research-vuln-scan.yml @@ -0,0 +1,92 @@ +name: trivy & grype & sarif & docker scout vulnerability scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + #schedule: + # - cron: '24 23 * * 0' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t greenbone/opensight-postgres:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'greenbone/opensight-postgres:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: grype + with: + image: "greenbone/opensight-postgres:${{ github.sha }}" + fail-build: true + severity-cutoff: critical + + - name: Upload grype vulnerability report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.grype.outputs.sarif }} + + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: "greenbone/opensight-postgres:${{ github.sha }}" + args: --file=Dockerfile + + - name: Upload snyk result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif + + - name: Analyze for critical and high CVEs + id: docker-scout-cves + if: ${{ github.event_name != 'pull_request_target' }} + uses: docker/scout-action@v1 + with: + command: cves, recommendations, compare + image: "greenbone/opensight-postgres:${{ github.sha }}" + sarif-file: sarif.output.json + summary: true + + - name: Upload docker scout SARIF result + id: upload-sarif + if: ${{ github.event_name != 'pull_request_target' }} + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: sarif.output.json From a5ce9af0948d4e5d054e7c92a7e0f23c922a286a Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Thu, 24 Oct 2024 16:02:42 +0200 Subject: [PATCH 02/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 206842e..6ed07ff 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -65,9 +65,9 @@ jobs: # More details in https://github.com/snyk/actions#getting-your-snyk-token # or you can signup for free at https://snyk.io/login SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: "greenbone/opensight-postgres:${{ github.sha }}" - args: --file=Dockerfile + with: + image: "greenbone/opensight-postgres:${{ github.sha }}" + args: --file=Dockerfile - name: Upload snyk result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 From d9e95ce803d60b46d6b63bea38f52fb4be903be5 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Thu, 24 Oct 2024 16:13:05 +0200 Subject: [PATCH 03/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 6ed07ff..2caaf93 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -47,8 +47,8 @@ jobs: id: grype with: image: "greenbone/opensight-postgres:${{ github.sha }}" - fail-build: true - severity-cutoff: critical + # fail-build: true + # severity-cutoff: critical - name: Upload grype vulnerability report uses: github/codeql-action/upload-sarif@v3 From 8fa555fb018d725da44e47b6fe8ccca19d7c731c Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Thu, 24 Oct 2024 16:16:09 +0200 Subject: [PATCH 04/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 2caaf93..04cffd5 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -47,8 +47,7 @@ jobs: id: grype with: image: "greenbone/opensight-postgres:${{ github.sha }}" - # fail-build: true - # severity-cutoff: critical + fail-build: false - name: Upload grype vulnerability report uses: github/codeql-action/upload-sarif@v3 From e4e74e06a7852f1f3f8e5877affbb0238ce7851c Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Thu, 24 Oct 2024 16:26:49 +0200 Subject: [PATCH 05/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 04cffd5..96939a7 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -71,7 +71,7 @@ jobs: - name: Upload snyk result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: snyk.sarif + sarif_file: build.sarif - name: Analyze for critical and high CVEs id: docker-scout-cves From 0db1823e7a4d22fb4f5d551ec282351e979d4fd5 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Thu, 24 Oct 2024 16:38:39 +0200 Subject: [PATCH 06/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 96939a7..6a4d365 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -68,10 +68,10 @@ jobs: image: "greenbone/opensight-postgres:${{ github.sha }}" args: --file=Dockerfile - - name: Upload snyk result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: build.sarif + #- name: Upload snyk result to GitHub Code Scanning + # uses: github/codeql-action/upload-sarif@v3 + #with: + # sarif_file: snyk.sarif - name: Analyze for critical and high CVEs id: docker-scout-cves From f65e2d858f352622d3c0065e05657d2c1cb43509 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Thu, 24 Oct 2024 16:42:39 +0200 Subject: [PATCH 07/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 30 ++++++++++++------------ 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 6a4d365..4dffdb0 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -73,19 +73,19 @@ jobs: #with: # sarif_file: snyk.sarif - - name: Analyze for critical and high CVEs - id: docker-scout-cves - if: ${{ github.event_name != 'pull_request_target' }} - uses: docker/scout-action@v1 - with: - command: cves, recommendations, compare - image: "greenbone/opensight-postgres:${{ github.sha }}" - sarif-file: sarif.output.json - summary: true + #- name: Analyze for critical and high CVEs + # id: docker-scout-cves + #if: ${{ github.event_name != 'pull_request_target' }} + #uses: docker/scout-action@v1 + #with: + # command: cves, recommendations, compare + #image: "greenbone/opensight-postgres:${{ github.sha }}" + #sarif-file: sarif.output.json + #summary: true - - name: Upload docker scout SARIF result - id: upload-sarif - if: ${{ github.event_name != 'pull_request_target' }} - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: sarif.output.json + #- name: Upload docker scout SARIF result + # id: upload-sarif + #if: ${{ github.event_name != 'pull_request_target' }} + #uses: github/codeql-action/upload-sarif@v2 + #with: + #sarif_file: sarif.output.json From 8a2e14f8075d78cae8a634a0ae0f50661ecf7f0e Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Fri, 1 Nov 2024 16:34:29 +0100 Subject: [PATCH 08/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 4dffdb0..4316b88 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -6,8 +6,6 @@ on: pull_request: # The branches below must be a subset of the branches above branches: [ "main" ] - #schedule: - # - cron: '24 23 * * 0' permissions: contents: read @@ -68,10 +66,10 @@ jobs: image: "greenbone/opensight-postgres:${{ github.sha }}" args: --file=Dockerfile - #- name: Upload snyk result to GitHub Code Scanning - # uses: github/codeql-action/upload-sarif@v3 - #with: - # sarif_file: snyk.sarif + - name: Upload snyk result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif #- name: Analyze for critical and high CVEs # id: docker-scout-cves From 358b74401d2d7e19985b2f1d9946f0408dab7158 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Mon, 4 Nov 2024 13:33:38 +0100 Subject: [PATCH 09/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 33 ------------------------ 1 file changed, 33 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 4316b88..203618e 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -51,39 +51,6 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.grype.outputs.sarif }} - - - name: Run Snyk to check Docker image for vulnerabilities - # Snyk can be used to break the build when it detects vulnerabilities. - # In this case we want to upload the issues to GitHub Code Scanning - continue-on-error: true - uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 - env: - # In order to use the Snyk Action you will need to have a Snyk API token. - # More details in https://github.com/snyk/actions#getting-your-snyk-token - # or you can signup for free at https://snyk.io/login - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: "greenbone/opensight-postgres:${{ github.sha }}" - args: --file=Dockerfile - - - name: Upload snyk result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif - - #- name: Analyze for critical and high CVEs - # id: docker-scout-cves - #if: ${{ github.event_name != 'pull_request_target' }} - #uses: docker/scout-action@v1 - #with: - # command: cves, recommendations, compare - #image: "greenbone/opensight-postgres:${{ github.sha }}" - #sarif-file: sarif.output.json - #summary: true - - #- name: Upload docker scout SARIF result - # id: upload-sarif - #if: ${{ github.event_name != 'pull_request_target' }} #uses: github/codeql-action/upload-sarif@v2 #with: #sarif_file: sarif.output.json From 43e8a980b8b2f4dff0afbce2ef6d661b264004d4 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 09:27:54 +0100 Subject: [PATCH 10/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 203618e..de12cd5 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -33,7 +33,7 @@ jobs: format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 @@ -46,6 +46,7 @@ jobs: with: image: "greenbone/opensight-postgres:${{ github.sha }}" fail-build: false + severity-cutoff: low - name: Upload grype vulnerability report uses: github/codeql-action/upload-sarif@v3 From add9a0dd2250f2d949ec0ef69f03649d433d49b2 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 09:36:33 +0100 Subject: [PATCH 11/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index de12cd5..a39e625 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -52,6 +52,20 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.grype.outputs.sarif }} - #uses: github/codeql-action/upload-sarif@v2 - #with: - #sarif_file: sarif.output.json + + - name: Analyze for critical and high CVEs + id: docker-scout-cves + if: ${{ github.event_name != 'pull_request_target' }} + uses: docker/scout-action@v1 + with: + command: cves, recommendations, compare + image: "greenbone/opensight-postgres:${{ github.sha }}" + sarif-file: sarif.output.json + summary: true + + - name: Upload docker scout SARIF result + id: upload-sarif + if: ${{ github.event_name != 'pull_request_target' }} + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: sarif.output.json From fd29f39c644590e1a3db91850e6ee0f6ef42931f Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 09:43:22 +0100 Subject: [PATCH 12/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index a39e625..ad8b19e 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -34,6 +34,7 @@ jobs: template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From 29f23c1d528d8b1e3022f779cc2cfc384300da41 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 10:16:15 +0100 Subject: [PATCH 13/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 34 ++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index ad8b19e..afd6c04 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -11,12 +11,12 @@ permissions: contents: read jobs: - build: + trivy: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build + name: Trivy runs-on: "ubuntu-20.04" steps: - name: Checkout code @@ -40,6 +40,21 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' + + grype: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Grype + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t greenbone/opensight-postgres:${{ github.sha }} . - name: Run the Anchore Grype scan action uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 @@ -53,6 +68,21 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.grype.outputs.sarif }} + + docker-scout: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: "Docker Scout" + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t greenbone/opensight-postgres:${{ github.sha }} . - name: Analyze for critical and high CVEs id: docker-scout-cves From 6778f4923fdf4a2df2bb4b9a381d4a075832780e Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 10:23:25 +0100 Subject: [PATCH 14/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index afd6c04..0b73c06 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -93,6 +93,9 @@ jobs: image: "greenbone/opensight-postgres:${{ github.sha }}" sarif-file: sarif.output.json summary: true + dockerhub-user: ${{ secrets.DOCKER_USER }} + dockerhub-password: ${{ secrets.DOCKER_TOKEN }} + # only-severities: -- default is all - name: Upload docker scout SARIF result id: upload-sarif From 671326fe813ba077ec32400f90c652444de3eeb3 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 10:24:51 +0100 Subject: [PATCH 15/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 0b73c06..531eb1c 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -93,8 +93,8 @@ jobs: image: "greenbone/opensight-postgres:${{ github.sha }}" sarif-file: sarif.output.json summary: true - dockerhub-user: ${{ secrets.DOCKER_USER }} - dockerhub-password: ${{ secrets.DOCKER_TOKEN }} + dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }} # only-severities: -- default is all - name: Upload docker scout SARIF result From 5faebef5fbedc0e9ce014b794815f5f201472049 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 10:26:36 +0100 Subject: [PATCH 16/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 531eb1c..33b704a 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -74,6 +74,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + pull-requests: write name: "Docker Scout" runs-on: "ubuntu-20.04" steps: From 7dd49e3d6fba99a0c3d72b8111cb77a609e37eb9 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 10:39:54 +0100 Subject: [PATCH 17/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 33b704a..e5e0268 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -40,6 +40,7 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' + category: ${{ github.jobs[github.job].name }} grype: permissions: @@ -68,6 +69,7 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.grype.outputs.sarif }} + category: ${{ github.jobs[github.job].name }} docker-scout: permissions: @@ -104,3 +106,4 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: sarif.output.json + category: ${{ github.jobs[github.job].name }} From 460ddd35aca5ad0565c1eb5d3598e6455c127ada Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 5 Nov 2024 10:59:21 +0100 Subject: [PATCH 18/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index e5e0268..0ea4a4e 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -103,7 +103,7 @@ jobs: - name: Upload docker scout SARIF result id: upload-sarif if: ${{ github.event_name != 'pull_request_target' }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: sarif.output.json category: ${{ github.jobs[github.job].name }} From ceda75b4c33cf86bea2d71281ddfd7ac90257e9f Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Tue, 5 Nov 2024 11:09:37 +0100 Subject: [PATCH 19/32] Run docker-scout only for testing --- .github/workflows/research-vuln-scan.yml | 118 +++++++++++------------ 1 file changed, 59 insertions(+), 59 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 0ea4a4e..e75e319 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -11,66 +11,66 @@ permissions: contents: read jobs: - trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Trivy - runs-on: "ubuntu-20.04" - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Build an image from Dockerfile - run: | - docker build -t greenbone/opensight-postgres:${{ github.sha }} . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: 'greenbone/opensight-postgres:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' - category: ${{ github.jobs[github.job].name }} - - grype: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Grype - runs-on: "ubuntu-20.04" - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Build an image from Dockerfile - run: | - docker build -t greenbone/opensight-postgres:${{ github.sha }} . +# trivy: +# permissions: +# contents: read # for actions/checkout to fetch code +# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results +# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status +# name: Trivy +# runs-on: "ubuntu-20.04" +# steps: +# - name: Checkout code +# uses: actions/checkout@v4 +# +# - name: Build an image from Dockerfile +# run: | +# docker build -t greenbone/opensight-postgres:${{ github.sha }} . +# +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe +# with: +# image-ref: 'greenbone/opensight-postgres:${{ github.sha }}' +# format: 'template' +# template: '@/contrib/sarif.tpl' +# output: 'trivy-results.sarif' +# severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' +# github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT +# +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: 'trivy-results.sarif' +# category: ${{ github.jobs[github.job].name }} +# +# grype: +# permissions: +# contents: read # for actions/checkout to fetch code +# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results +# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status +# name: Grype +# runs-on: "ubuntu-20.04" +# steps: +# - name: Checkout code +# uses: actions/checkout@v4 +# +# - name: Build an image from Dockerfile +# run: | +# docker build -t greenbone/opensight-postgres:${{ github.sha }} . +# +# - name: Run the Anchore Grype scan action +# uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 +# id: grype +# with: +# image: "greenbone/opensight-postgres:${{ github.sha }}" +# fail-build: false +# severity-cutoff: low +# +# - name: Upload grype vulnerability report +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: ${{ steps.grype.outputs.sarif }} +# category: ${{ github.jobs[github.job].name }} - - name: Run the Anchore Grype scan action - uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 - id: grype - with: - image: "greenbone/opensight-postgres:${{ github.sha }}" - fail-build: false - severity-cutoff: low - - - name: Upload grype vulnerability report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.grype.outputs.sarif }} - category: ${{ github.jobs[github.job].name }} - docker-scout: permissions: contents: read # for actions/checkout to fetch code From 785e461e33924b60d177e185407684941c233ccc Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Tue, 5 Nov 2024 11:16:17 +0100 Subject: [PATCH 20/32] Enable other jobs again and docker-scout ignores unspecified --- .github/workflows/research-vuln-scan.yml | 120 +++++++++++------------ 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index e75e319..1d96a9c 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -11,65 +11,65 @@ permissions: contents: read jobs: -# trivy: -# permissions: -# contents: read # for actions/checkout to fetch code -# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results -# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status -# name: Trivy -# runs-on: "ubuntu-20.04" -# steps: -# - name: Checkout code -# uses: actions/checkout@v4 -# -# - name: Build an image from Dockerfile -# run: | -# docker build -t greenbone/opensight-postgres:${{ github.sha }} . -# -# - name: Run Trivy vulnerability scanner -# uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe -# with: -# image-ref: 'greenbone/opensight-postgres:${{ github.sha }}' -# format: 'template' -# template: '@/contrib/sarif.tpl' -# output: 'trivy-results.sarif' -# severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' -# github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT -# -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: 'trivy-results.sarif' -# category: ${{ github.jobs[github.job].name }} -# -# grype: -# permissions: -# contents: read # for actions/checkout to fetch code -# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results -# actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status -# name: Grype -# runs-on: "ubuntu-20.04" -# steps: -# - name: Checkout code -# uses: actions/checkout@v4 -# -# - name: Build an image from Dockerfile -# run: | -# docker build -t greenbone/opensight-postgres:${{ github.sha }} . -# -# - name: Run the Anchore Grype scan action -# uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 -# id: grype -# with: -# image: "greenbone/opensight-postgres:${{ github.sha }}" -# fail-build: false -# severity-cutoff: low -# -# - name: Upload grype vulnerability report -# uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: ${{ steps.grype.outputs.sarif }} -# category: ${{ github.jobs[github.job].name }} + trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Trivy + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t greenbone/opensight-postgres:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'greenbone/opensight-postgres:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + category: ${{ github.jobs[github.job].name }} + + grype: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Grype + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t greenbone/opensight-postgres:${{ github.sha }} . + + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: grype + with: + image: "greenbone/opensight-postgres:${{ github.sha }}" + fail-build: false + severity-cutoff: low + + - name: Upload grype vulnerability report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.grype.outputs.sarif }} + category: ${{ github.jobs[github.job].name }} docker-scout: permissions: @@ -98,7 +98,7 @@ jobs: summary: true dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }} dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }} - # only-severities: -- default is all + only-severities: critical, high, medium, low - name: Upload docker scout SARIF result id: upload-sarif From 4cb94ac43c88e38f40b42ff6da18d12932552f22 Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Tue, 5 Nov 2024 11:23:41 +0100 Subject: [PATCH 21/32] Remove low from docker-scout --- .github/workflows/research-vuln-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 1d96a9c..1096236 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -98,7 +98,7 @@ jobs: summary: true dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }} dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }} - only-severities: critical, high, medium, low + only-severities: critical, high, medium - name: Upload docker scout SARIF result id: upload-sarif From 8d160a65cdca7bdee35cd50ed7bbcc59cd463b9a Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Tue, 5 Nov 2024 11:51:43 +0100 Subject: [PATCH 22/32] Set trivy and grype to medium too --- .github/workflows/research-vuln-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 1096236..9e90a58 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -33,7 +33,7 @@ jobs: format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + severity: 'MEDIUM,HIGH,CRITICAL' github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - name: Upload Trivy scan results to GitHub Security tab @@ -63,7 +63,7 @@ jobs: with: image: "greenbone/opensight-postgres:${{ github.sha }}" fail-build: false - severity-cutoff: low + severity-cutoff: medium - name: Upload grype vulnerability report uses: github/codeql-action/upload-sarif@v3 From 487c4e4fded377231caab12008e970cf9f36ae52 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Fri, 22 Nov 2024 10:35:35 +0100 Subject: [PATCH 23/32] Update .github/workflows/research-vuln-scan.yml Co-authored-by: Jaspar Stach --- .github/workflows/research-vuln-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 9e90a58..a0f99ba 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -20,7 +20,7 @@ jobs: runs-on: "ubuntu-20.04" steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build an image from Dockerfile run: | From c8219674220f0ff5dfb5d449de5859617cab28a5 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Fri, 22 Nov 2024 10:36:29 +0100 Subject: [PATCH 24/32] Update .github/workflows/research-vuln-scan.yml Co-authored-by: Jaspar Stach --- .github/workflows/research-vuln-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index a0f99ba..35ef261 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -51,7 +51,7 @@ jobs: runs-on: "ubuntu-20.04" steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build an image from Dockerfile run: | From 8f44b319de1378f8c1c943eb008dac58b03785e8 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Fri, 22 Nov 2024 10:36:40 +0100 Subject: [PATCH 25/32] Update .github/workflows/research-vuln-scan.yml Co-authored-by: Jaspar Stach --- .github/workflows/research-vuln-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 35ef261..89a1358 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -81,7 +81,7 @@ jobs: runs-on: "ubuntu-20.04" steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build an image from Dockerfile run: | From 44c071b37da5225e322c8c721b8bbd699195cd2a Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Fri, 22 Nov 2024 10:37:09 +0100 Subject: [PATCH 26/32] Apply suggestions from code review Co-authored-by: Jaspar Stach --- .github/workflows/research-vuln-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 89a1358..5ee7aac 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -37,7 +37,7 @@ jobs: github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: 'trivy-results.sarif' category: ${{ github.jobs[github.job].name }} @@ -66,7 +66,7 @@ jobs: severity-cutoff: medium - name: Upload grype vulnerability report - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: ${{ steps.grype.outputs.sarif }} category: ${{ github.jobs[github.job].name }} @@ -103,7 +103,7 @@ jobs: - name: Upload docker scout SARIF result id: upload-sarif if: ${{ github.event_name != 'pull_request_target' }} - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: sarif.output.json category: ${{ github.jobs[github.job].name }} From dfb66eab5bcf805bc22c99e1ff6e468cd2796ce8 Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Mon, 25 Nov 2024 13:13:36 +0100 Subject: [PATCH 27/32] Change: Switch to harbor, use image built by push.yml and use self hosted runners --- .github/workflows/research-vuln-scan.yml | 39 +++++++++++++++--------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 5ee7aac..a0b9ca8 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -17,19 +17,22 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Trivy - runs-on: "ubuntu-20.04" + runs-on: self-hosted-generic steps: - name: Checkout code uses: actions/11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Build an image from Dockerfile - run: | - docker build -t greenbone/opensight-postgres:${{ github.sha }} . + - name: Login to Greenbone Product container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 + with: + registry: ${{ vars.GREENBONE_REGISTRY }} + username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: 'greenbone/opensight-postgres:${{ github.sha }}' + image-ref: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' @@ -48,20 +51,23 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Grype - runs-on: "ubuntu-20.04" + runs-on: self-hosted-generic steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Build an image from Dockerfile - run: | - docker build -t greenbone/opensight-postgres:${{ github.sha }} . + - name: Login to Greenbone Product container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 + with: + registry: ${{ vars.GREENBONE_REGISTRY }} + username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} - name: Run the Anchore Grype scan action uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 id: grype with: - image: "greenbone/opensight-postgres:${{ github.sha }}" + image: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16' fail-build: false severity-cutoff: medium @@ -78,14 +84,17 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status pull-requests: write name: "Docker Scout" - runs-on: "ubuntu-20.04" + runs-on: self-hosted-generic steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Build an image from Dockerfile - run: | - docker build -t greenbone/opensight-postgres:${{ github.sha }} . + - name: Login to Greenbone Product container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 + with: + registry: ${{ vars.GREENBONE_REGISTRY }} + username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} - name: Analyze for critical and high CVEs id: docker-scout-cves @@ -93,7 +102,7 @@ jobs: uses: docker/scout-action@v1 with: command: cves, recommendations, compare - image: "greenbone/opensight-postgres:${{ github.sha }}" + image: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16' sarif-file: sarif.output.json summary: true dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }} From e0ed4bcb88c3bda594b0f758925fce991e903828 Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Mon, 25 Nov 2024 13:19:35 +0100 Subject: [PATCH 28/32] Add: Slash to image --- .github/workflows/research-vuln-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index a0b9ca8..b0f691c 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -32,7 +32,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16' + image-ref: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' @@ -67,7 +67,7 @@ jobs: uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 id: grype with: - image: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16' + image: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16' fail-build: false severity-cutoff: medium @@ -102,7 +102,7 @@ jobs: uses: docker/scout-action@v1 with: command: cves, recommendations, compare - image: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16' + image: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16' sarif-file: sarif.output.json summary: true dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }} From 4700ed22b4b76c6580c7fb67c4a788cf14dc87f4 Mon Sep 17 00:00:00 2001 From: robert-schardt Date: Tue, 26 Nov 2024 09:29:19 +0100 Subject: [PATCH 29/32] Update research-vuln-scan.yml --- .github/workflows/research-vuln-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index b0f691c..69bd23c 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -20,7 +20,7 @@ jobs: runs-on: self-hosted-generic steps: - name: Checkout code - uses: actions/11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Login to Greenbone Product container registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 From 762c940c52ff0be8a1334e45a40e5ef6bfa6a15d Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Tue, 26 Nov 2024 09:54:42 +0100 Subject: [PATCH 30/32] Add trivy env variables for private registry and remove recommendations and compare for docker scout --- .github/workflows/research-vuln-scan.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 69bd23c..978dda2 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -38,6 +38,9 @@ jobs: output: 'trivy-results.sarif' severity: 'MEDIUM,HIGH,CRITICAL' github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + env: + TRIVY_USERNAME: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + TRIVY_PASSWORD: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 @@ -101,7 +104,7 @@ jobs: if: ${{ github.event_name != 'pull_request_target' }} uses: docker/scout-action@v1 with: - command: cves, recommendations, compare + command: cves image: '${{ vars.GREENBONE_REGISTRY }}/opensight/opensight-postgres:16' sarif-file: sarif.output.json summary: true From b5c0ce4bb631da725767aa20eac759b9badeab3c Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Tue, 26 Nov 2024 09:56:43 +0100 Subject: [PATCH 31/32] Fix env indent --- .github/workflows/research-vuln-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index 978dda2..c5dfb26 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -38,9 +38,9 @@ jobs: output: 'trivy-results.sarif' severity: 'MEDIUM,HIGH,CRITICAL' github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - env: - TRIVY_USERNAME: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} - TRIVY_PASSWORD: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} + env: + TRIVY_USERNAME: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + TRIVY_PASSWORD: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 From 66da04a5d21af874ac44089a52f615d09c64e25a Mon Sep 17 00:00:00 2001 From: Robert Schardt Date: Tue, 26 Nov 2024 10:01:00 +0100 Subject: [PATCH 32/32] Remove docker login for trivy --- .github/workflows/research-vuln-scan.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/research-vuln-scan.yml b/.github/workflows/research-vuln-scan.yml index c5dfb26..3177d00 100644 --- a/.github/workflows/research-vuln-scan.yml +++ b/.github/workflows/research-vuln-scan.yml @@ -22,13 +22,6 @@ jobs: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Login to Greenbone Product container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 - with: - registry: ${{ vars.GREENBONE_REGISTRY }} - username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} - password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} - - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: