diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml index 3ba4fc6..89f002d 100644 --- a/.github/workflows/docker-latest.yml +++ b/.github/workflows/docker-latest.yml @@ -23,3 +23,9 @@ jobs: CI_SECRET_READER_PERIODIC_TOKEN: ${{ secrets.CI_SECRET_READER_PERIODIC_TOKEN }} VAULTCA: ${{ secrets.VAULTCA }} SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + + trivy-scan: + uses: danubetech/workflows/.github/workflows/trivy-check.yml@main + with: + GLOBAL_IMAGE_NAME: universalresolver/driver-did-dns + GLOBAL_REPO_NAME: docker.io diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml deleted file mode 100644 index b48740f..0000000 --- a/.github/workflows/trivy.yml +++ /dev/null @@ -1,44 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: trivy - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '00 02 * * 1' - -permissions: - contents: read - -jobs: - build: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build - runs-on: "ubuntu-20.04" - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe - with: - image-ref: 'docker.io/universalresolver/driver-did-dns:latest' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' diff --git a/trivy-results.log b/trivy-results.log new file mode 100644 index 0000000..e2e1d39 --- /dev/null +++ b/trivy-results.log @@ -0,0 +1,16 @@ + +docker.io/universalresolver/driver-did-dns (alpine 3.19.1) +========================================================== +Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0) + +┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤ +│ libcrypto3 │ CVE-2024-2511 │ LOW │ fixed │ 3.1.4-r5 │ 3.1.4-r6 │ openssl: Unbounded memory growth with session handling in │ +│ │ │ │ │ │ │ TLSv1.3 │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2511 │ +├────────────┤ │ │ │ │ │ │ +│ libssl3 │ │ │ │ │ │ │ +│ │ │ │ │ │ │ │ +│ │ │ │ │ │ │ │ +└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘