dyndnsd/.github/workflows/vulnscan.yml

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
---
name: vulnscan

on:
  schedule:
  - cron: '7 4 * * 4'  # weekly on thursday morning
  workflow_dispatch:

jobs:
  scan-released-dockerimages:
    runs-on: ubuntu-latest
    env:
      TRIVY_IGNORE_UNFIXED: 'true'
      TRIVY_REMOVED_PKGS: 'true'
    steps:
    - name: Install Trivy
      run: |
        mkdir -p "$GITHUB_WORKSPACE/bin"
        echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH"
        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b "$GITHUB_WORKSPACE/bin"
    - name: Download Trivy DB
      run: |
        trivy image --download-db-only
    - name: Scan vulnerabilities using Trivy
      env:
        TRIVY_SKIP_DIRS: 'usr/lib/ruby/gems/2.7.0/gems/jaeger-client-0.10.0/crossdock,usr/lib/ruby/gems/2.7.0/gems/jaeger-client-1.0.0/crossdock,usr/lib/ruby/gems/2.7.0/gems/jaeger-client-1.1.0/crossdock'
      run: |
        trivy --version

        # semver sorting as per https://stackoverflow.com/a/40391207/2148786
        ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sed '/-/!{s/$/_/}' | sort -r -V | sed 's/_$//')"
        EXIT_CODE=0
        set -e
        for major_version in $(seq 1 10); do
          for image in $ALL_IMAGES; do
            if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
              echo -e "\nScanning newest patch release $image of major v$major_version...\n"
              if ! trivy image --skip-update --exit-code 1 "$image"; then
                EXIT_CODE=1
              fi
              break
            fi
          done
        done
        exit "$EXIT_CODE"
ci: use JSON schema for GHA workflows 2022-02-11 01:29:46 +01:00			`# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json`
docker: add image release on tag and periodic vulnerability scan 2020-08-17 12:08:42 +02:00			`---`
			`name: vulnscan`

			`on:`
			`schedule:`
			`- cron: '7 4 * * 4' # weekly on thursday morning`
ci: allow manual run of vulnscan action workflow 2020-08-18 22:53:33 +02:00			`workflow_dispatch:`
docker: add image release on tag and periodic vulnerability scan 2020-08-17 12:08:42 +02:00
			`jobs:`
			`scan-released-dockerimages:`
			`runs-on: ubuntu-latest`
			`env:`
			`TRIVY_IGNORE_UNFIXED: 'true'`
			`TRIVY_REMOVED_PKGS: 'true'`
			`steps:`
			`- name: Install Trivy`
			`run: \|`
ci: use actionlint on GHA workflows - https://github.com/rhysd/actionlint is cool 2022-02-15 23:56:09 +01:00			`mkdir -p "$GITHUB_WORKSPACE/bin"`
ci: use Github environment files - fixing vulnerability via https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files 2020-10-08 12:32:44 +02:00			`echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH"`
ci: use actionlint on GHA workflows - https://github.com/rhysd/actionlint is cool 2022-02-15 23:56:09 +01:00			`curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh \| sh -s -- -b "$GITHUB_WORKSPACE/bin"`
docker: add image release on tag and periodic vulnerability scan 2020-08-17 12:08:42 +02:00			`- name: Download Trivy DB`
			`run: \|`
			`trivy image --download-db-only`
			`- name: Scan vulnerabilities using Trivy`
ci: improve ignore of false-positives on 3rd party lockfiles - amends https://github.com/cmur2/dyndnsd/commit/5b332d8f5729c1cc1ff26a87ee1548426932f2d6 2020-08-30 11:41:23 +02:00			`env:`
ci: ignore false-positive 3rd party lockfiles for trivy 2020-10-08 12:25:38 +02:00			`TRIVY_SKIP_DIRS: 'usr/lib/ruby/gems/2.7.0/gems/jaeger-client-0.10.0/crossdock,usr/lib/ruby/gems/2.7.0/gems/jaeger-client-1.0.0/crossdock,usr/lib/ruby/gems/2.7.0/gems/jaeger-client-1.1.0/crossdock'`
docker: add image release on tag and periodic vulnerability scan 2020-08-17 12:08:42 +02:00			`run: \|`
			`trivy --version`

ci: fix vulnscan behavior to scan most-recent semver 2020-08-19 14:33:26 +02:00			`# semver sorting as per https://stackoverflow.com/a/40391207/2148786`
			`ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 \| jq -r '.results[].name \| "cmur2/dyndnsd:" + .' \| grep -e 'cmur2/dyndnsd:v' \| sed '/-/!{s/$/_/}' \| sort -r -V \| sed 's/_$//')"`
docker: add image release on tag and periodic vulnerability scan 2020-08-17 12:08:42 +02:00			`EXIT_CODE=0`
			`set -e`
			`for major_version in $(seq 1 10); do`
			`for image in $ALL_IMAGES; do`
			`if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then`
ci: fix vulnscan behavior to scan most-recent semver 2020-08-19 14:33:26 +02:00			`echo -e "\nScanning newest patch release $image of major v$major_version...\n"`
ci: improve ignore of false-positives on 3rd party lockfiles - amends https://github.com/cmur2/dyndnsd/commit/5b332d8f5729c1cc1ff26a87ee1548426932f2d6 2020-08-30 11:41:23 +02:00			`if ! trivy image --skip-update --exit-code 1 "$image"; then`
docker: add image release on tag and periodic vulnerability scan 2020-08-17 12:08:42 +02:00			`EXIT_CODE=1`
			`fi`
			`break`
			`fi`
			`done`
			`done`
			`exit "$EXIT_CODE"`