2020-08-17 12:08:42 +02:00
|
|
|
---
|
|
|
|
name: vulnscan
|
|
|
|
|
|
|
|
on:
|
|
|
|
schedule:
|
|
|
|
- cron: '7 4 * * 4' # weekly on thursday morning
|
2020-08-18 22:53:33 +02:00
|
|
|
workflow_dispatch:
|
2020-08-17 12:08:42 +02:00
|
|
|
|
|
|
|
jobs:
|
|
|
|
scan-released-dockerimages:
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
env:
|
|
|
|
TRIVY_LIGHT: 'true'
|
|
|
|
TRIVY_IGNORE_UNFIXED: 'true'
|
|
|
|
TRIVY_REMOVED_PKGS: 'true'
|
|
|
|
steps:
|
|
|
|
- name: Install Trivy
|
|
|
|
run: |
|
|
|
|
mkdir -p $GITHUB_WORKSPACE/bin
|
2020-10-08 12:32:44 +02:00
|
|
|
echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH"
|
2020-08-17 12:08:42 +02:00
|
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
|
|
|
|
- name: Download Trivy DB
|
|
|
|
run: |
|
|
|
|
trivy image --download-db-only
|
|
|
|
- name: Scan vulnerabilities using Trivy
|
2020-08-30 11:41:23 +02:00
|
|
|
env:
|
2020-10-08 12:25:38 +02:00
|
|
|
TRIVY_SKIP_DIRS: 'usr/lib/ruby/gems/2.7.0/gems/jaeger-client-0.10.0/crossdock,usr/lib/ruby/gems/2.7.0/gems/jaeger-client-1.0.0/crossdock,usr/lib/ruby/gems/2.7.0/gems/jaeger-client-1.1.0/crossdock'
|
2020-08-17 12:08:42 +02:00
|
|
|
run: |
|
|
|
|
trivy --version
|
|
|
|
|
2020-08-19 14:33:26 +02:00
|
|
|
# semver sorting as per https://stackoverflow.com/a/40391207/2148786
|
|
|
|
ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sed '/-/!{s/$/_/}' | sort -r -V | sed 's/_$//')"
|
2020-08-17 12:08:42 +02:00
|
|
|
EXIT_CODE=0
|
|
|
|
set -e
|
|
|
|
for major_version in $(seq 1 10); do
|
|
|
|
for image in $ALL_IMAGES; do
|
|
|
|
if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
|
2020-08-19 14:33:26 +02:00
|
|
|
echo -e "\nScanning newest patch release $image of major v$major_version...\n"
|
2020-08-30 11:41:23 +02:00
|
|
|
if ! trivy image --skip-update --exit-code 1 "$image"; then
|
2020-08-17 12:08:42 +02:00
|
|
|
EXIT_CODE=1
|
|
|
|
fi
|
|
|
|
break
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
done
|
|
|
|
exit "$EXIT_CODE"
|