228 lines
7.6 KiB
YAML
228 lines
7.6 KiB
YAML
# Container Security Scanning Workflow
|
|
# Sprint: CI/CD Enhancement - Security Scanning
|
|
#
|
|
# Purpose: Scan container images for vulnerabilities beyond SBOM generation
|
|
# Triggers: Dockerfile changes, scheduled daily, manual dispatch
|
|
#
|
|
# Tool: PLACEHOLDER - Choose one: Trivy, Grype, or Snyk
|
|
|
|
name: Container Security Scan
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- '**/Dockerfile'
|
|
- '**/Dockerfile.*'
|
|
- 'devops/docker/**'
|
|
pull_request:
|
|
paths:
|
|
- '**/Dockerfile'
|
|
- '**/Dockerfile.*'
|
|
- 'devops/docker/**'
|
|
schedule:
|
|
# Run daily at 4 AM UTC
|
|
- cron: '0 4 * * *'
|
|
workflow_dispatch:
|
|
inputs:
|
|
severity_threshold:
|
|
description: 'Minimum severity to fail'
|
|
required: false
|
|
type: choice
|
|
options:
|
|
- CRITICAL
|
|
- HIGH
|
|
- MEDIUM
|
|
- LOW
|
|
default: HIGH
|
|
image:
|
|
description: 'Specific image to scan (optional)'
|
|
required: false
|
|
type: string
|
|
|
|
env:
|
|
SEVERITY_THRESHOLD: ${{ github.event.inputs.severity_threshold || 'HIGH' }}
|
|
|
|
jobs:
|
|
discover-images:
|
|
name: Discover Container Images
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
images: ${{ steps.discover.outputs.images }}
|
|
count: ${{ steps.discover.outputs.count }}
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Discover Dockerfiles
|
|
id: discover
|
|
run: |
|
|
# Find all Dockerfiles
|
|
DOCKERFILES=$(find . -name "Dockerfile" -o -name "Dockerfile.*" | grep -v node_modules | grep -v bin | grep -v obj || true)
|
|
|
|
# Build image list
|
|
IMAGES='[]'
|
|
COUNT=0
|
|
|
|
while IFS= read -r dockerfile; do
|
|
if [[ -n "$dockerfile" ]]; then
|
|
DIR=$(dirname "$dockerfile")
|
|
NAME=$(basename "$DIR" | tr '[:upper:]' '[:lower:]' | tr '.' '-')
|
|
|
|
# Get image name from directory structure
|
|
if [[ "$DIR" == *"devops/docker"* ]]; then
|
|
NAME=$(echo "$dockerfile" | sed 's|.*devops/docker/||' | sed 's|/Dockerfile.*||' | tr '/' '-')
|
|
fi
|
|
|
|
IMAGES=$(echo "$IMAGES" | jq --arg name "$NAME" --arg path "$dockerfile" '. + [{"name": $name, "dockerfile": $path}]')
|
|
COUNT=$((COUNT + 1))
|
|
fi
|
|
done <<< "$DOCKERFILES"
|
|
|
|
echo "Found $COUNT Dockerfile(s)"
|
|
echo "images=$(echo "$IMAGES" | jq -c .)" >> $GITHUB_OUTPUT
|
|
echo "count=$COUNT" >> $GITHUB_OUTPUT
|
|
|
|
scan-images:
|
|
name: Scan ${{ matrix.image.name }}
|
|
runs-on: ubuntu-latest
|
|
needs: [discover-images]
|
|
if: needs.discover-images.outputs.count != '0'
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image: ${{ fromJson(needs.discover-images.outputs.images) }}
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Build image for scanning
|
|
id: build
|
|
run: |
|
|
IMAGE_TAG="scan-${{ matrix.image.name }}:${{ github.sha }}"
|
|
DOCKERFILE="${{ matrix.image.dockerfile }}"
|
|
CONTEXT=$(dirname "$DOCKERFILE")
|
|
|
|
echo "Building $IMAGE_TAG from $DOCKERFILE..."
|
|
docker build -t "$IMAGE_TAG" -f "$DOCKERFILE" "$CONTEXT" || {
|
|
echo "::warning::Failed to build $IMAGE_TAG - skipping scan"
|
|
echo "skip=true" >> $GITHUB_OUTPUT
|
|
exit 0
|
|
}
|
|
|
|
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
|
|
echo "skip=false" >> $GITHUB_OUTPUT
|
|
|
|
# PLACEHOLDER: Choose your container scanner
|
|
# Option 1: Trivy (recommended - comprehensive, free)
|
|
# Option 2: Grype (Anchore - good integration with Syft SBOMs)
|
|
# Option 3: Snyk (commercial, comprehensive)
|
|
|
|
- name: Trivy Vulnerability Scan
|
|
if: steps.build.outputs.skip != 'true'
|
|
id: trivy
|
|
# Uncomment when ready to use Trivy:
|
|
# uses: aquasecurity/trivy-action@master
|
|
# with:
|
|
# image-ref: ${{ steps.build.outputs.image_tag }}
|
|
# format: 'sarif'
|
|
# output: 'trivy-${{ matrix.image.name }}.sarif'
|
|
# severity: ${{ env.SEVERITY_THRESHOLD }},CRITICAL
|
|
# exit-code: '1'
|
|
run: |
|
|
echo "::notice::Container scanning placeholder - configure scanner below"
|
|
echo ""
|
|
echo "Image: ${{ steps.build.outputs.image_tag }}"
|
|
echo "Severity threshold: ${{ env.SEVERITY_THRESHOLD }}"
|
|
echo ""
|
|
echo "Available scanners:"
|
|
echo " 1. Trivy: aquasecurity/trivy-action@master"
|
|
echo " 2. Grype: anchore/scan-action@v3"
|
|
echo " 3. Snyk: snyk/actions/docker@master"
|
|
|
|
# Create placeholder report
|
|
mkdir -p scan-results
|
|
echo '{"placeholder": true, "image": "${{ matrix.image.name }}"}' > scan-results/scan-${{ matrix.image.name }}.json
|
|
|
|
# Alternative: Grype (works well with existing Syft SBOM workflow)
|
|
# - name: Grype Vulnerability Scan
|
|
# if: steps.build.outputs.skip != 'true'
|
|
# uses: anchore/scan-action@v3
|
|
# with:
|
|
# image: ${{ steps.build.outputs.image_tag }}
|
|
# severity-cutoff: ${{ env.SEVERITY_THRESHOLD }}
|
|
# fail-build: true
|
|
|
|
# Alternative: Snyk Container
|
|
# - name: Snyk Container Scan
|
|
# if: steps.build.outputs.skip != 'true'
|
|
# uses: snyk/actions/docker@master
|
|
# env:
|
|
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
# with:
|
|
# image: ${{ steps.build.outputs.image_tag }}
|
|
# args: --severity-threshold=${{ env.SEVERITY_THRESHOLD }}
|
|
|
|
- name: Upload scan results
|
|
if: always() && steps.build.outputs.skip != 'true'
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: container-scan-${{ matrix.image.name }}
|
|
path: |
|
|
scan-results/
|
|
*.sarif
|
|
*.json
|
|
retention-days: 30
|
|
if-no-files-found: ignore
|
|
|
|
- name: Cleanup
|
|
if: always()
|
|
run: |
|
|
docker rmi "${{ steps.build.outputs.image_tag }}" 2>/dev/null || true
|
|
|
|
summary:
|
|
name: Scan Summary
|
|
runs-on: ubuntu-latest
|
|
needs: [discover-images, scan-images]
|
|
if: always()
|
|
|
|
steps:
|
|
- name: Download all scan results
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
pattern: container-scan-*
|
|
path: all-results/
|
|
merge-multiple: true
|
|
continue-on-error: true
|
|
|
|
- name: Generate summary
|
|
run: |
|
|
echo "## Container Security Scan Results" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Image | Status |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
|
|
|
|
IMAGES='${{ needs.discover-images.outputs.images }}'
|
|
SCAN_RESULT="${{ needs.scan-images.result }}"
|
|
|
|
echo "$IMAGES" | jq -r '.[] | .name' | while read -r name; do
|
|
if [[ "$SCAN_RESULT" == "success" ]]; then
|
|
echo "| $name | No vulnerabilities found |" >> $GITHUB_STEP_SUMMARY
|
|
elif [[ "$SCAN_RESULT" == "failure" ]]; then
|
|
echo "| $name | Vulnerabilities detected |" >> $GITHUB_STEP_SUMMARY
|
|
else
|
|
echo "| $name | $SCAN_RESULT |" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
done
|
|
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "### Configuration" >> $GITHUB_STEP_SUMMARY
|
|
echo "- **Scanner:** Placeholder (configure in workflow)" >> $GITHUB_STEP_SUMMARY
|
|
echo "- **Severity Threshold:** ${{ env.SEVERITY_THRESHOLD }}" >> $GITHUB_STEP_SUMMARY
|
|
echo "- **Images Scanned:** ${{ needs.discover-images.outputs.count }}" >> $GITHUB_STEP_SUMMARY
|
|
echo "- **Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
|