stackit-nuke/.github/workflows/security.yml at main · qaiser42/stackit-nuke · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: security

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  schedule:
    # Weekly Mon 06:00 UTC — pick up newly-disclosed CVEs in pinned deps.
    - cron: "0 6 * * 1"
  workflow_dispatch:

permissions:
  contents: read
  security-events: write   # SARIF → GitHub Code Scanning

jobs:
  trivy-fs:
    name: trivy filesystem
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Trivy filesystem scan
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: fs
          scan-ref: .
          format: sarif
          output: trivy-fs.sarif
          severity: CRITICAL,HIGH,MEDIUM
          ignore-unfixed: true
          exit-code: "0"   # report-only; PRs never blocked on advisory churn

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-fs.sarif
          category: trivy-fs

      - name: Fail on CRITICAL (PRs only)
        if: github.event_name == 'pull_request'
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: fs
          scan-ref: .
          severity: CRITICAL
          ignore-unfixed: true
          exit-code: "1"

  trivy-config:
    name: trivy config (IaC + workflows)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Trivy config scan
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: config
          scan-ref: .
          format: sarif
          output: trivy-config.sarif
          severity: CRITICAL,HIGH
          exit-code: "0"

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-config.sarif
          category: trivy-config

  trivy-image:
    name: trivy image
    if: startsWith(github.ref, 'refs/tags/v')
    runs-on: ubuntu-latest
    needs: []
    steps:
      - uses: actions/checkout@v6

      - name: Wait for image
        # Image is published by release.yml on the same tag; this job runs
        # after the registry has it.
        run: |
          for i in 1 2 3 4 5 6 7 8 9 10; do
            if docker manifest inspect ghcr.io/${{ github.repository }}:${GITHUB_REF_NAME} >/dev/null 2>&1; then
              exit 0
            fi
            echo "image not yet available, retry $i..."
            sleep 30
          done
          echo "::error::image not published within timeout"
          exit 1

      - name: Trivy image scan
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: image
          image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
          format: sarif
          output: trivy-image.sarif
          severity: CRITICAL,HIGH,MEDIUM
          ignore-unfixed: true
          exit-code: "0"

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-image.sarif
          category: trivy-image