Add Trivy scanning to main workflow
This commit is contained in:
juvdiaz
parent
04fbcdac28
commit
479a1c4d55
|
|
@ -68,6 +68,57 @@ jobs:
|
||||||
|
|
||||||
"${gitleaks_bin}" git --redact=100 --verbose --exit-code 1 .
|
"${gitleaks_bin}" git --redact=100 --verbose --exit-code 1 .
|
||||||
|
|
||||||
|
- name: Scan for vulnerabilities and misconfigurations with Trivy
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
trivy_version="0.70.0"
|
||||||
|
case "$(uname -m)" in
|
||||||
|
x86_64|amd64)
|
||||||
|
trivy_platform="Linux-64bit"
|
||||||
|
trivy_sha256="8b4376d5d6befe5c24d503f10ff136d9e0c49f9127a4279fd110b727929a5aa9"
|
||||||
|
;;
|
||||||
|
aarch64|arm64)
|
||||||
|
trivy_platform="Linux-ARM64"
|
||||||
|
trivy_sha256="2f6bb988b553a1bbac6bdd1ce890f5e412439564e17522b88a4541b4f364fc8d"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Unsupported runner architecture: $(uname -m)" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
tool_dir="${HOME}/.cache/homelab-tools/trivy/${trivy_version}/${trivy_platform}"
|
||||||
|
trivy_bin="${tool_dir}/trivy"
|
||||||
|
installed_version=""
|
||||||
|
if [[ -x "${trivy_bin}" ]]; then
|
||||||
|
installed_version="$("${trivy_bin}" --version | awk '/^Version:/ {print $2; exit}')"
|
||||||
|
fi
|
||||||
|
if [[ "${installed_version}" != "${trivy_version}" ]]; then
|
||||||
|
archive="trivy_${trivy_version}_${trivy_platform}.tar.gz"
|
||||||
|
tmpdir="$(mktemp -d)"
|
||||||
|
trap 'rm -rf "${tmpdir}"' EXIT
|
||||||
|
|
||||||
|
curl -fsSL -o "${tmpdir}/${archive}" \
|
||||||
|
"https://github.com/aquasecurity/trivy/releases/download/v${trivy_version}/${archive}"
|
||||||
|
printf '%s %s\n' "${trivy_sha256}" "${tmpdir}/${archive}" | sha256sum -c -
|
||||||
|
|
||||||
|
mkdir -p "${tool_dir}"
|
||||||
|
tar -xzf "${tmpdir}/${archive}" -C "${tmpdir}" trivy
|
||||||
|
install -m 0755 "${tmpdir}/trivy" "${trivy_bin}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trivy_cache="${HOME}/.cache/homelab-tools/trivy/cache"
|
||||||
|
trivy_docker_config="${HOME}/.cache/homelab-tools/trivy/docker-config"
|
||||||
|
mkdir -p "${trivy_cache}" "${trivy_docker_config}"
|
||||||
|
printf '{}\n' > "${trivy_docker_config}/config.json"
|
||||||
|
export DOCKER_CONFIG="${trivy_docker_config}"
|
||||||
|
|
||||||
|
"${trivy_bin}" fs --scanners vuln,misconfig --severity HIGH,CRITICAL \
|
||||||
|
--exit-code 0 --no-progress --cache-dir "${trivy_cache}" .
|
||||||
|
"${trivy_bin}" fs --scanners vuln,misconfig --severity CRITICAL \
|
||||||
|
--exit-code 1 --no-progress --cache-dir "${trivy_cache}" .
|
||||||
|
|
||||||
- name: Validate shell, Kubernetes manifests, and OpenTofu stacks
|
- name: Validate shell, Kubernetes manifests, and OpenTofu stacks
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue