Restore scan in CI-PR and Provide alternative Trivy repo. (#578)
Added enviromental variables with multiple trivy repos. Restore scan after build. Backported scan folders from main. Added action to install Trivy.
This commit is contained in:
committed by
GitHub
parent
bcc0cd4cb4
commit
d147451af3
9
.github/workflows/ci-pr.yml
vendored
9
.github/workflows/ci-pr.yml
vendored
@@ -12,6 +12,8 @@ env:
|
||||
ARTIFACTORY_USERNAME: 'anonymous'
|
||||
ARTIFACTORY_PASSWORD: 'anonymous'
|
||||
SKIP_DEPLOY: 'true'
|
||||
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
|
||||
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
|
||||
|
||||
jobs:
|
||||
build:
|
||||
@@ -59,6 +61,13 @@ jobs:
|
||||
VERBOSE: ${{ github.debug && 'true' || '' }}
|
||||
run: |
|
||||
./build-apps.sh "-T 1C package -Psnapshot"
|
||||
- name: 'Configure: Install Trivy'
|
||||
uses: ./.github/actions/install-trivy
|
||||
- name: 'Action: Trivy scan'
|
||||
shell: bash
|
||||
run: |
|
||||
BUILD_DIR=$(realpath $MAIN_PATH)
|
||||
$BUILD_DIR/scan-folders.sh table
|
||||
- name: 'Upload: Error logs'
|
||||
if: ${{ failure() }}
|
||||
uses: actions/upload-artifact@v3
|
||||
|
||||
22
scan-folders.sh
Executable file
22
scan-folders.sh
Executable file
@@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
SCDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
|
||||
SCDIR=$(realpath $SCDIR)
|
||||
if [ -f $SCDIR/runs.sarif ]; then
|
||||
rm $SCDIR/runs.sarif
|
||||
fi
|
||||
export TRIVY_UPLOAD=true
|
||||
while [ "$1" != "" ]; do
|
||||
if [ "$1" == "table" ]; then
|
||||
export TRIVY_UPLOAD=false
|
||||
fi
|
||||
shift
|
||||
done
|
||||
REAL_PATH=$(realpath $PWD)
|
||||
echo "Scanning in $REAL_PATH"
|
||||
find . -type d -name target -exec bash "$SCDIR/scan-jars.sh" '{}' \;
|
||||
echo "{\"version\": \"2.1.0\", \"\$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json\", \"runs\": [" > "$SCDIR/scan.sarif"
|
||||
if [ -f "$SCDIR/runs.sarif" ]; then
|
||||
cat "$SCDIR/runs.sarif" >> "$SCDIR/scan.sarif"
|
||||
fi
|
||||
echo "]}" >> "$SCDIR/scan.sarif"
|
||||
echo "Created $SCDIR/scan.sarif"
|
||||
24
scan-jar.sh
Executable file
24
scan-jar.sh
Executable file
@@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
SCDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
|
||||
SCDIR=$(realpath $SCDIR)
|
||||
if [[ "$1" != *"-sources.jar" ]] && [[ "$1" != *"-javadoc.jar" ]]; then
|
||||
if [ "$TRIVY_UPLOAD" == "true" ]; then
|
||||
echo "Scanning:$1"
|
||||
echo "trivy rootfs --format sarif -o \"$1.sarif\" \"$1\""
|
||||
trivy rootfs --format sarif -o "$1.sarif" "$1"
|
||||
if [ -f "$1.sarif" ]; then
|
||||
if [ -f $SCDIR/runs.sarif ]; then
|
||||
echo "," >> "$SCDIR/runs.sarif"
|
||||
fi
|
||||
jq -c '.runs | .[]' "$1.sarif" >> "$SCDIR/runs.sarif"
|
||||
else
|
||||
echo "Could not find:$1.sarif"
|
||||
fi
|
||||
else
|
||||
trivy rootfs -q "$1"
|
||||
fi
|
||||
else
|
||||
if [ "$TRIVY_UPLOAD" == "true" ]; then
|
||||
echo "Skipping $1"
|
||||
fi
|
||||
fi
|
||||
7
scan-jars.sh
Executable file
7
scan-jars.sh
Executable file
@@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
SCDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
|
||||
SCDIR=$(realpath $SCDIR)
|
||||
if [ "$TRIVY_UPLOAD" == "true" ]; then
|
||||
echo "Scanning $1"
|
||||
fi
|
||||
find $1 -type f -name "*.jar" -exec bash "$SCDIR/scan-jar.sh" '{}' \;
|
||||
Reference in New Issue
Block a user