Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add trivy vulnerability check #1159

Closed
wants to merge 11 commits into from
Closed

feat: add trivy vulnerability check #1159

wants to merge 11 commits into from

Conversation

emanuelaepure10
Copy link
Contributor

Trivy vulnerability check is added the GitHub Actions workflows.

ING-4183

@emanuelaepure10 emanuelaepure10 force-pushed the feat/ING-4183 branch 16 times, most recently from 1bab9bf to 6207067 Compare April 25, 2024 13:12
@emanuelaepure10 emanuelaepure10 force-pushed the feat/ING-4183 branch 4 times, most recently from e734261 to a1967a1 Compare May 8, 2024 09:56
stempler
stempler reviewed May 8, 2024
View reviewed changes
trivy-results.sarif Outdated Show resolved Hide resolved
.github/workflows/trivy.yml Outdated
# separate terms of service, privacy policy, and support
# documentation.

name: Trivy vulnerability scanner
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we need a built hale studio to scan in rootfs mode I think it would make more sense to integrate the scan into a workflow that anyway already creates a hale studio artifact.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure. But this can be done as well after we understood which tool we like the most, right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you refer to trivy and codeql?
In my view both serve different purposes so both should be included.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also in my view Trivy and CodeQL have different focuses, they complement each other very well and using them both we can cover both dependency vulnerabilities and code-level issues, but I thought that trivy is favourite and we care less about the rest :-)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@emanuelaepure10 So can we proceed in that you adapt the trivy scan to scan the product, or what would be your plan?

@emanuelaepure10 emanuelaepure10 marked this pull request as ready for review June 5, 2024 08:36
@emanuelaepure10 emanuelaepure10 force-pushed the feat/ING-4183 branch 3 times, most recently from d213709 to 5e56d3f Compare June 5, 2024 09:00
emanuelaepure10
emanuelaepure10 commented Jun 5, 2024
View reviewed changes
.github/workflows/trivy.yml Outdated

- name: Run Trivy scan
run: |
trivy fs --target /home/runner/work/hale/hale --debug --format sarif --output trivy-results.sarif
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stempler could you please help me understand which is the correct directory to scan? Thank you

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had discussed in a call around May 8th that a built product should be scanned, why I suggested here to integrate the scan into a workflow where products are built anyway.
There is also an earlier discussion where I asked about what you are scanning and referred to a comment on a previous ticket that refers to how we did scans manually in the past. Did you take a look at these resources? Do you have specific open questions?

@emanuelaepure10
feat: add trivy vulnerability check
72bef35 
Trivy and CodeQL vulnerabilities check are added the GitHub Actions workflows.

ING-4183
@emanuelaepure10 emanuelaepure10 force-pushed the feat/ING-4183 branch 3 times, most recently from a178cd8 to 77783e3 Compare June 6, 2024 12:10
emanuelaepure10
emanuelaepure10 commented Jun 6, 2024
View reviewed changes
.github/workflows/check.yml Outdated
trivy fs --severity CRITICAL,HIGH build/target/hale-studio-*linux*.tar.gz --format sarif --output trivy-results.sarif


- name: Upload Trivy scan results to file
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stempler Do you maybe see why the file is not updated with the results?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems the upload works but there are are just no results - I would guess maybe because the product archive is not extracted.

Would the goal not be to use the github/codeql-action/upload-sarif action again to integrate with GitHub code scanning?

stempler
stempler reviewed Jun 10, 2024
View reviewed changes
.github/workflows/check.yml Outdated
@@ -110,6 +110,27 @@ jobs:
path: build/target/hale-studio-*macosx*.dmg
retention-days: 14

- name: Set up Trivy
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't you use the trivy GitHub action as before?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I don't set up/install trivy I get an error as:

Run trivy fs --severity CRITICAL,HIGH build/target/hale-studio-linux-trivy --format sarif --output trivy-results.sarif
/home/runner/work/_temp/1ea9265f-f612-4cca-8[7](https://github.com/halestudio/hale/actions/runs/9449564750/job/26026128237?pr=1159#step:10:8)d1-b6e3a263f8f2.sh: line 1: trivy: command not found

See here

.github/workflows/check.yml Outdated

- name: Run Trivy scan
run: |
trivy fs --severity CRITICAL,HIGH build/target/hale-studio-*linux*.tar.gz --format sarif --output trivy-results.sarif
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you test if it works on the archive or would it need to be extracted first?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tried but I got the same result.

.github/workflows/check.yml Outdated
trivy fs --severity CRITICAL,HIGH build/target/hale-studio-*linux*.tar.gz --format sarif --output trivy-results.sarif


- name: Upload Trivy scan results to file
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems the upload works but there are are just no results - I would guess maybe because the product archive is not extracted.

Would the goal not be to use the github/codeql-action/upload-sarif action again to integrate with GitHub code scanning?

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@emanuelaepure10
Copy link
Contributor Author

@stempler I'm unsure how to proceed with this PR and would greatly appreciate your assistance. Thank you!

@stempler
Copy link
Member

I'm unsure how to proceed with this PR and would greatly appreciate your assistance. Thank you!

@emanuelaepure10 From my perspective the open tasks would be:

  • use the trivy GitHub action (as you had done in the beginning) instead of installing it and running it via the CLI
  • I suspect the fs scan does not yield any results, at least that was the case for me when I tested this, so I suspect rootfs has to be used instead
  • looking at the code scanning section it seems that in the end, the trivy scan should be running for the master branch and not only for the PR, but this can be done once the process is working

How would one usually find the code scanning results for a PR (e.g. is there a link somewhere?)
I found it not so easy to find the info for this PR.

@emanuelaepure10
Copy link
Contributor Author

@stempler I have updated the PR and I completely agree with you that would be so much nicer to have a link directly from the PR to the code scanning results. At the moment when you go to the security tab -> code scanning you could select the PR or the branch you are interested in
image
but working with forks you would probably need to select always the PR instead of a branch.
Another option could be to create a PR with the vulnerabilities found.
What would you prefer?

stempler
stempler previously approved these changes Jun 19, 2024
View reviewed changes
@stempler stempler dismissed their stale review June 19, 2024 17:21

wrong commit type

@stempler stempler mentioned this pull request Jun 19, 2024
Merged
@stempler
Copy link
Member

Replaced by #1204

@stempler stempler closed this Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stempler stempler stempler left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@emanuelaepure10 @stempler