yujunjun/datahub
2
0
Fork 0
mirror of https://github.com/datahub-project/datahub.git synced 2025-12-16 04:28:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(ci): adding github security reporting to trivy scans (#6773)

Browse Source
This commit is contained in:
Shirshanka Das 2022-12-15 21:28:07 -08:00 committed by GitHub
parent 22081f5ecc
commit b236d0958c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 75 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
.github/workflows/docker-unified.yml vendored
View File

@ -1,4 +1,4 @@
name: Unified Docker Workflow name: Docker Build, Scan, Test
on: on:
push: push:
branches: branches:
@ -84,10 +84,16 @@ jobs:
file: ./docker/datahub-gms/Dockerfile file: ./docker/datahub-gms/Dockerfile
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
gms_scan: gms_scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: "[Monitoring] Scan GMS images for vulnerabilities" name: "[Monitoring] Scan GMS images for vulnerabilities"
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [setup, gms_build] needs: [setup, gms_build]
steps: steps:
- name: Checkout # adding checkout step just to make trivy upload happy
uses: actions/checkout@v3
- name: Download image - name: Download image
uses: ishworkh/docker-image-artifact-download@v1 uses: ishworkh/docker-image-artifact-download@v1
if: ${{ needs.setup.outputs.publish != 'true' }} if: ${{ needs.setup.outputs.publish != 'true' }}
@ -97,10 +103,17 @@ jobs:
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: ${{ env.DATAHUB_GMS_IMAGE }}:${{ needs.setup.outputs.unique_tag }} image-ref: ${{ env.DATAHUB_GMS_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
format: "table" format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true ignore-unfixed: true
vuln-type: "os,library" vuln-type: "os,library"
severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
mae_consumer_build: mae_consumer_build:
name: Build and Push DataHub MAE Consumer Docker Image name: Build and Push DataHub MAE Consumer Docker Image
@ -130,7 +143,13 @@ jobs:
name: "[Monitoring] Scan MAE consumer images for vulnerabilities" name: "[Monitoring] Scan MAE consumer images for vulnerabilities"
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [setup, mae_consumer_build] needs: [setup, mae_consumer_build]
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps: steps:
- name: Checkout # adding checkout step just to make trivy upload happy
uses: actions/checkout@v3
- name: Download image - name: Download image
uses: ishworkh/docker-image-artifact-download@v1 uses: ishworkh/docker-image-artifact-download@v1
if: ${{ needs.setup.outputs.publish != 'true' }} if: ${{ needs.setup.outputs.publish != 'true' }}
@ -140,10 +159,17 @@ jobs:
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: ${{ env.DATAHUB_MAE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }} image-ref: ${{ env.DATAHUB_MAE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
format: "table" format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true ignore-unfixed: true
vuln-type: "os,library" vuln-type: "os,library"
severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
mce_consumer_build: mce_consumer_build:
name: Build and Push DataHub MCE Consumer Docker Image name: Build and Push DataHub MCE Consumer Docker Image
@ -173,7 +199,13 @@ jobs:
name: "[Monitoring] Scan MCE consumer images for vulnerabilities" name: "[Monitoring] Scan MCE consumer images for vulnerabilities"
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [setup, mce_consumer_build] needs: [setup, mce_consumer_build]
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps: steps:
- name: Checkout # adding checkout step just to make trivy upload happy
uses: actions/checkout@v3
- name: Download image - name: Download image
uses: ishworkh/docker-image-artifact-download@v1 uses: ishworkh/docker-image-artifact-download@v1
if: ${{ needs.setup.outputs.publish != 'true' }} if: ${{ needs.setup.outputs.publish != 'true' }}
@ -183,10 +215,17 @@ jobs:
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: ${{ env.DATAHUB_MCE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }} image-ref: ${{ env.DATAHUB_MCE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
format: "table" format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true ignore-unfixed: true
vuln-type: "os,library" vuln-type: "os,library"
severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
datahub_upgrade_build: datahub_upgrade_build:
name: Build and Push DataHub Upgrade Docker Image name: Build and Push DataHub Upgrade Docker Image
@ -216,7 +255,13 @@ jobs:
name: "[Monitoring] Scan DataHub Upgrade images for vulnerabilities" name: "[Monitoring] Scan DataHub Upgrade images for vulnerabilities"
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [setup, datahub_upgrade_build] needs: [setup, datahub_upgrade_build]
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps: steps:
- name: Checkout # adding checkout step just to make trivy upload happy
uses: actions/checkout@v3
- name: Download image - name: Download image
uses: ishworkh/docker-image-artifact-download@v1 uses: ishworkh/docker-image-artifact-download@v1
if: ${{ needs.setup.outputs.publish != 'true' }} if: ${{ needs.setup.outputs.publish != 'true' }}
@ -226,10 +271,16 @@ jobs:
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: ${{ env.DATAHUB_UPGRADE_IMAGE }}:${{ needs.setup.outputs.unique_tag }} image-ref: ${{ env.DATAHUB_UPGRADE_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
format: "table" format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true ignore-unfixed: true
vuln-type: "os,library" vuln-type: "os,library"
severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
frontend_build: frontend_build:
name: Build and Push DataHub Frontend Docker Image name: Build and Push DataHub Frontend Docker Image
@ -259,7 +310,13 @@ jobs:
name: "[Monitoring] Scan Frontend images for vulnerabilities" name: "[Monitoring] Scan Frontend images for vulnerabilities"
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [setup, frontend_build] needs: [setup, frontend_build]
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps: steps:
- name: Checkout # adding checkout step just to make trivy upload happy
uses: actions/checkout@v3
- name: Download image - name: Download image
uses: ishworkh/docker-image-artifact-download@v1 uses: ishworkh/docker-image-artifact-download@v1
if: ${{ needs.setup.outputs.publish != 'true' }} if: ${{ needs.setup.outputs.publish != 'true' }}
@ -269,10 +326,16 @@ jobs:
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: ${{ env.DATAHUB_FRONTEND_IMAGE }}:${{ needs.setup.outputs.unique_tag }} image-ref: ${{ env.DATAHUB_FRONTEND_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
format: "table" format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true ignore-unfixed: true
vuln-type: "os,library" vuln-type: "os,library"
severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
kafka_setup_build: kafka_setup_build:
name: Build and Push DataHub Kafka Setup Docker Image name: Build and Push DataHub Kafka Setup Docker Image