Merge pull request #37 from cdalvaro/feat/add_security_analysis

ci/cd: Add security analysis step
2020-10-01 09:00:23 +02:00
parent 1b862039dc 67012ccb2f
commit e04015df50
2 changed files with 69 additions and 0 deletions
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -113,3 +113,43 @@ jobs:
        run: |
          docker stop saltstack_master registry
          docker image rm ${IMAGE_NAME}
+
+  security-analysis:
+    name: Security analysis
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download Docker registry data from build job
+        uses: actions/download-artifact@v2
+        with:
+          name: docker-registry-data
+          path: ${{ env.REGISTRY_PATH }}
+
+      - name: Enable Docker experimental
+        run: |
+          # Enable docker daemon experimental support.
+          echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+          # Install QEMU multi-architecture support for docker buildx.
+          docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+
+      - name: Start Docker registry
+        run: |
+          docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
+
+      - name: Import Docker images
+        run: docker pull --platform linux/amd64 ${IMAGE_NAME}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -88,3 +88,32 @@ jobs:
          cache-to: type=local,dest=${{ env.CACHE_PATH }}
          push: true
          tags: ${{ steps.metadata.outputs.tags }}
+
+  security-analysis:
+    name: Security analysis
+    runs-on: ubuntu-latest
+    needs: publish
+    if: github.event_name == 'release'
+    steps:
+      - name: Prepare metadata
+        id: metadata
+        run: |
+          IMAGE_REF="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
+          echo ::set-output name=image_ref::${IMAGE_REF}
+
+      - name: Import Docker images
+        run: docker pull ${{ steps.metadata.outputs.image_ref }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.metadata.outputs.image_ref }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'