From b473f67a5d20c900a49b1d81e4b4bb356c5f6f0f Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Thu, 19 Dec 2024 13:56:12 -0700 Subject: [PATCH] Always run all trivy scans if the build was successful --- .github/workflows/trivy.yml | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f86710f565..fcd02db9d2 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -21,17 +21,17 @@ jobs: openc3-scan: if: ${{ github.actor != 'dependabot[bot]' }} runs-on: ubuntu-latest - strategy: - fail-fast: false steps: - uses: actions/checkout@v4 - name: openc3.sh build + id: build # This `shell` line is required to get around a known issue: https://github.com/actions/runner/issues/241#issuecomment-745902718 shell: 'script -q -e -c "bash {0}"' run: ./openc3.sh build env: OPENC3_TAG: ${{ github.sha }} - name: Run Trivy on image ruby + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}" @@ -43,11 +43,13 @@ jobs: scanners: "vuln" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-ruby" sarif_file: "trivy-ruby.sarif" - name: Run Trivy on image node + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}" @@ -58,12 +60,16 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + # On a subsequent call to the action we know trivy is already installed so can skip this + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-node" sarif_file: "trivy-node.sarif" - name: Run Trivy on image base + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}" @@ -74,12 +80,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-base" sarif_file: "trivy-base.sarif" - name: Run Trivy on image cosmos-init + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}" @@ -90,12 +99,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-init" sarif_file: "trivy-init.sarif" - name: Run Trivy on image redis + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}" @@ -106,12 +118,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-redis" sarif_file: "trivy-redis.sarif" - name: Run Trivy on image minio + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}" @@ -122,12 +137,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-minio" sarif_file: "trivy-minio.sarif" - name: Run Trivy on image operator + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}" @@ -138,12 +156,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-operator" sarif_file: "trivy-operator.sarif" - name: Run Trivy on image cmd-tlm-api + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}" @@ -154,12 +175,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-cmd-tlm-api" sarif_file: "trivy-cmd-tlm-api.sarif" - name: Run Trivy on image script-runner-api + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}" @@ -170,12 +194,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-script-runner-api" sarif_file: "trivy-script-runner-api.sarif" - name: Run Trivy on image traefik + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}" @@ -186,12 +213,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-traefik" sarif_file: "trivy-traefik.sarif" - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: scan-type: "fs"