ci: download trivy db from aws ecr (#1955) #8308
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: . 🕵🏼 Security Scan | |
on: | |
push: | |
branches: | |
- '**' | |
tags-ignore: | |
- '**' | |
env: | |
SNYK_TOKEN: ${{ secrets.CAOS_SNYK_TOKEN }} | |
DOCKER_HUB_ID: ${{ secrets.OHAI_DOCKER_HUB_ID }} | |
DOCKER_HUB_PASSWORD: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} | |
jobs: | |
scan-deps: | |
name: Run security checks Snyk | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Login to DockerHub | |
uses: docker/login-action@v1 | |
with: | |
username: ${{ env.DOCKER_HUB_ID }} | |
password: ${{ env.DOCKER_HUB_PASSWORD }} | |
- name: Install go deps | |
run: make ci/deps | |
- name: Scan code for vulnerabilities with Snyk | |
run: make ci/snyk-test | |
scan-container: | |
name: Run security checks for container agent's binaries (infra, ctl and service) | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v1 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v1 | |
with: | |
version: v0.9.1 | |
- name: Login to DockerHub | |
uses: docker/login-action@v1 | |
with: | |
username: ${{ env.DOCKER_HUB_ID }} | |
password: ${{ env.DOCKER_HUB_PASSWORD }} | |
- name: Build agent binaries | |
run: make ci/build TAG=DEV_CI | |
# don't use buildx so the image gets added to the docker local registry | |
- name: Build container agent (amd64) | |
run: make -C build/container/ build/base-amd64 DOCKER_BUILD_TAG_PREFIX=pr USE_BUILDX=false | |
- name: Scan the created container image | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "newrelic/infrastructure:pr-amd64" | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: "HIGH,CRITICAL" | |
skip-dirs: "/var" | |
env: | |
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db |