add trivy scanner (#23)

canonical · Nov 15, 2023 · 687ad43 · 687ad43
1 parent f80726f
commit 687ad43
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 10 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -43,9 +43,9 @@ jobs:
         id: build
         run: |
           VERSION=$(yq '.version' rockcraft.yaml)
-          
+
           rockcraft pack --verbose
-          
+
           echo "rock=charmed-zookeeper_${VERSION}_amd64.rock" >> $GITHUB_OUTPUT
 
       - name: Upload locally built ROCK artifact
@@ -64,12 +64,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      - name: Setup Docker
-        run: |
-          sudo snap install docker
-          sudo addgroup --system docker; sudo adduser $USER docker
-          newgrp docker
-          sudo snap disable docker; sudo snap enable docker
       - name: Install skopeo
         run: |
           sudo snap install --devmode --channel edge skopeo

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -40,7 +40,7 @@ jobs:
       - name: Import and push to GHCR
         run: |
           version=$(yq '(.version|split("-"))[0]' rockcraft.yaml)
-          base=$(yq '(.base|split(":"))[1]' rockcraft.yaml)
+          base=$(yq '(.base|split("@"))[1]' rockcraft.yaml)
           risk=edge
           tag=${version}-${base}_${risk}
           channel=$(echo ${{ github.ref_name }} | cut -d "-" -f 1)

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,44 @@
+name: Trivy Security Scanner
+on:
+  push:
+    branches:
+      - 3-22.04
+  pull_request:
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+  scan:
+    name: Trivy scan
+    needs: build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Install skopeo
+        run: |
+          sudo snap install --devmode --channel edge skopeo
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: actions/download-artifact@v3
+        with:
+          name: charmed-zookeeper
+      - name: Import locally
+        run: |
+          sudo skopeo --insecure-policy copy \
+            oci-archive:${{ needs.build.outputs.rock }} \
+            docker-daemon:trivy/charmed-zookeeper:test
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'trivy/charmed-zookeeper:test'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/rockcraft.yaml b/rockcraft.yaml
@@ -2,7 +2,7 @@
 # See LICENSE file for licensing details.
 ---
 name: charmed-zookeeper  # the name of your ROCK
-base: ubuntu:22.04  # the base environment for this ROCK
+base: ubuntu@22.04  # the base environment for this ROCK
 version: '3.6.4'  # just for humans. Semantic versioning is recommended
 summary: Charmed ZooKeeper ROCK OCI  # 79 char long summary
 description: |