From d5ef41ee7858d0058156a2062bd2179b533548f7 Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 18:42:54 +0530 Subject: [PATCH 01/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 31 ++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 160bbe04..b4c69fa0 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -83,3 +83,34 @@ jobs: ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }} RELEASE_DOCKER_HUB: ${{ secrets.RELEASE_DOCKER_HUB }} SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + trivy_scan: + needs: build-dockers + runs-on: ubuntu-latest + steps: + - name: Set environment variables + run: | + echo "SERVICE_NAME=biosdk-server" >> $GITHUB_ENV + echo "VERSION=latest" >> $GITHUB_ENV + echo "IMAGE_REF=docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}" >> $GITHUB_ENV + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@v0.30.1 + with: + image-ref: '${{ env.IMAGE_REF }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Verify Trivy report generation + run: | + if [ ! -f "trivy-results.sarif" ]; then + echo "Trivy SARIF report not found!" + exit 1 + fi + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From ae12259825bd09e24c266981e3504ba61d04f09e Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 18:43:49 +0530 Subject: [PATCH 02/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index b4c69fa0..94d56ead 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -110,7 +110,7 @@ jobs: exit 1 fi - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Trivy scan results to GitHub security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' From 1805f361e9f16e49d978ab999baa5fa578395332 Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 18:49:07 +0530 Subject: [PATCH 03/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 53 +++++++++++++++--------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 94d56ead..a24b6b51 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -83,34 +83,35 @@ jobs: ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }} RELEASE_DOCKER_HUB: ${{ secrets.RELEASE_DOCKER_HUB }} SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + trivy_scan: - needs: build-dockers - runs-on: ubuntu-latest - steps: - - name: Set environment variables - run: | - echo "SERVICE_NAME=biosdk-server" >> $GITHUB_ENV - echo "VERSION=latest" >> $GITHUB_ENV - echo "IMAGE_REF=docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}" >> $GITHUB_ENV + needs: build-dockers + runs-on: ubuntu-latest + steps: + - name: Set environment variables + run: | + echo "SERVICE_NAME=biosdk-server" >> $GITHUB_ENV + echo "VERSION=latest" >> $GITHUB_ENV + echo "IMAGE_REF=docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}" >> $GITHUB_ENV - - name: Checkout code - uses: actions/checkout@v3 + - name: Checkout code + uses: actions/checkout@v3 - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@v0.30.1 - with: - image-ref: '${{ env.IMAGE_REF }}' - format: 'sarif' - output: 'trivy-results.sarif' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@v0.30.1 + with: + image-ref: '${{ env.IMAGE_REF }}' + format: 'sarif' + output: 'trivy-results.sarif' - - name: Verify Trivy report generation - run: | - if [ ! -f "trivy-results.sarif" ]; then - echo "Trivy SARIF report not found!" - exit 1 - fi + - name: Verify Trivy report generation + run: | + if [ ! -f "trivy-results.sarif" ]; then + echo "Trivy SARIF report not found!" + exit 1 + fi - - name: Upload Trivy scan results to GitHub security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From e3168dfbe21ab20bc882c71b1dd0b6730d0e9440 Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 19:13:04 +0530 Subject: [PATCH 04/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index a24b6b51..39d2fa6c 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -98,7 +98,7 @@ jobs: uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@v0.30.1 + uses: aquasecurity/trivy-action@v0.20.0 with: image-ref: '${{ env.IMAGE_REF }}' format: 'sarif' From 8260296913456af0a2cebd39ae545d865f662ca7 Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 19:15:55 +0530 Subject: [PATCH 05/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 39d2fa6c..309b52d7 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -98,7 +98,7 @@ jobs: uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@v0.20.0 + uses: aquasecurity/trivy-action@0.20.0 with: image-ref: '${{ env.IMAGE_REF }}' format: 'sarif' From 1ac90afd62c34bfd4d009e012786bef92762c8c1 Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 19:26:46 +0530 Subject: [PATCH 06/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 309b52d7..6e54dfd9 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -88,19 +88,13 @@ jobs: needs: build-dockers runs-on: ubuntu-latest steps: - - name: Set environment variables - run: | - echo "SERVICE_NAME=biosdk-server" >> $GITHUB_ENV - echo "VERSION=latest" >> $GITHUB_ENV - echo "IMAGE_REF=docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}" >> $GITHUB_ENV - - name: Checkout code uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.20.0 with: - image-ref: '${{ env.IMAGE_REF }}' + image-ref: 'docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}' format: 'sarif' output: 'trivy-results.sarif' From 13b85cb117cd8fd1435ab26d26f48c383c993cdc Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 21:56:07 +0530 Subject: [PATCH 07/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 6e54dfd9..98974fa2 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -94,7 +94,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.20.0 with: - image-ref: 'docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}' + image-ref: 'docker.io/${{ matrix.SERVICE_NAME }}:latest' format: 'sarif' output: 'trivy-results.sarif' From 04b8fa6d173cf87d60b102e5dbe83bcc27f78c27 Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 22:08:02 +0530 Subject: [PATCH 08/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 98974fa2..6e92f9b9 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -86,6 +86,10 @@ jobs: trivy_scan: needs: build-dockers + strategy: + matrix: + include: + - SERVICE_NAME: 'biosdk-server' runs-on: ubuntu-latest steps: - name: Checkout code From 210f3ce7e65edab50cc41cde0b4b54f2d87846fb Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 22:16:51 +0530 Subject: [PATCH 09/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 6e92f9b9..36471e32 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -84,31 +84,29 @@ jobs: RELEASE_DOCKER_HUB: ${{ secrets.RELEASE_DOCKER_HUB }} SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} - trivy_scan: - needs: build-dockers - strategy: - matrix: - include: - - SERVICE_NAME: 'biosdk-server' + trivy-scan: runs-on: ubuntu-latest + env: + NAMESPACE: ${{ secrets.dev_namespace_docker_hub }} + SERVICE_NAME: biosdk-server + VERSION: latest # Modify this as needed or set dynamically based on your versioning scheme + steps: - name: Checkout code - uses: actions/checkout@v3 - + uses: actions/checkout@v2 + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.20.0 with: - image-ref: 'docker.io/${{ matrix.SERVICE_NAME }}:latest' + image-ref: 'docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}' format: 'sarif' output: 'trivy-results.sarif' + - - name: Verify Trivy report generation - run: | - if [ ! -f "trivy-results.sarif" ]; then - echo "Trivy SARIF report not found!" - exit 1 - fi - + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub security tab uses: github/codeql-action/upload-sarif@v2 with: From e4c8c7310751e4edef3390d06110f7833d5d283f Mon Sep 17 00:00:00 2001 From: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> Date: Wed, 16 Oct 2024 22:24:31 +0530 Subject: [PATCH 10/10] Update push-trigger.yml Signed-off-by: Mahesh-Binayak <76687012+Mahesh-Binayak@users.noreply.github.com> --- .github/workflows/push-trigger.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 36471e32..bc0b7581 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -85,6 +85,7 @@ jobs: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} trivy-scan: + needs: build-dockers runs-on: ubuntu-latest env: NAMESPACE: ${{ secrets.dev_namespace_docker_hub }}