Restore scan in CI-PR and Provide alternative Trivy repo. (#578)

Added enviromental variables with multiple trivy repos.
Restore scan after build.
Backported scan folders from main.
Added action to install Trivy.
This commit is contained in:
Corneil du Plessis
2024-11-20 11:52:20 +02:00
committed by GitHub
parent bcc0cd4cb4
commit d147451af3
4 changed files with 62 additions and 0 deletions

View File

@@ -12,6 +12,8 @@ env:
ARTIFACTORY_USERNAME: 'anonymous'
ARTIFACTORY_PASSWORD: 'anonymous'
SKIP_DEPLOY: 'true'
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db
jobs:
build:
@@ -59,6 +61,13 @@ jobs:
VERBOSE: ${{ github.debug && 'true' || '' }}
run: |
./build-apps.sh "-T 1C package -Psnapshot"
- name: 'Configure: Install Trivy'
uses: ./.github/actions/install-trivy
- name: 'Action: Trivy scan'
shell: bash
run: |
BUILD_DIR=$(realpath $MAIN_PATH)
$BUILD_DIR/scan-folders.sh table
- name: 'Upload: Error logs'
if: ${{ failure() }}
uses: actions/upload-artifact@v3

22
scan-folders.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
SCDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
SCDIR=$(realpath $SCDIR)
if [ -f $SCDIR/runs.sarif ]; then
rm $SCDIR/runs.sarif
fi
export TRIVY_UPLOAD=true
while [ "$1" != "" ]; do
if [ "$1" == "table" ]; then
export TRIVY_UPLOAD=false
fi
shift
done
REAL_PATH=$(realpath $PWD)
echo "Scanning in $REAL_PATH"
find . -type d -name target -exec bash "$SCDIR/scan-jars.sh" '{}' \;
echo "{\"version\": \"2.1.0\", \"\$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json\", \"runs\": [" > "$SCDIR/scan.sarif"
if [ -f "$SCDIR/runs.sarif" ]; then
cat "$SCDIR/runs.sarif" >> "$SCDIR/scan.sarif"
fi
echo "]}" >> "$SCDIR/scan.sarif"
echo "Created $SCDIR/scan.sarif"

24
scan-jar.sh Executable file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
SCDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
SCDIR=$(realpath $SCDIR)
if [[ "$1" != *"-sources.jar" ]] && [[ "$1" != *"-javadoc.jar" ]]; then
if [ "$TRIVY_UPLOAD" == "true" ]; then
echo "Scanning:$1"
echo "trivy rootfs --format sarif -o \"$1.sarif\" \"$1\""
trivy rootfs --format sarif -o "$1.sarif" "$1"
if [ -f "$1.sarif" ]; then
if [ -f $SCDIR/runs.sarif ]; then
echo "," >> "$SCDIR/runs.sarif"
fi
jq -c '.runs | .[]' "$1.sarif" >> "$SCDIR/runs.sarif"
else
echo "Could not find:$1.sarif"
fi
else
trivy rootfs -q "$1"
fi
else
if [ "$TRIVY_UPLOAD" == "true" ]; then
echo "Skipping $1"
fi
fi

7
scan-jars.sh Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
SCDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
SCDIR=$(realpath $SCDIR)
if [ "$TRIVY_UPLOAD" == "true" ]; then
echo "Scanning $1"
fi
find $1 -type f -name "*.jar" -exec bash "$SCDIR/scan-jar.sh" '{}' \;