[CI] Fix Trivy scan in both CI and CI PR workflows

spring-projects · Dec 12, 2023 · 556f285 · 556f285
1 parent 843e02c
commit 556f285
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 61 deletions.
diff --git a/.github/trivy-to-console.yaml b/.github/trivy-to-console.yaml
@@ -0,0 +1,16 @@
+scan:
+  scanners:
+    - vuln
+  file-patterns:
+    - 'pom:.*\.pom'
+
+severity:
+  - CRITICAL
+  - HIGH
+
+vulnerability:
+  ignore-unfixed: true
+
+exit-code: 1
+timeout: 10m
+debug: false
diff --git a/.github/trivy.yaml → .github/trivy-to-sarif.yaml b/.github/trivy.yaml → .github/trivy-to-sarif.yaml
@@ -11,9 +11,9 @@ severity:
 vulnerability:
   ignore-unfixed: true
 
-# format: json
-# output: trivy-results.json
-
 exit-code: 1
 timeout: 10m
 debug: false
+
+format: sarif
+output: trivy-results.sarif
diff --git a/.github/workflows/ci-pr.yml b/.github/workflows/ci-pr.yml
@@ -91,28 +91,10 @@ jobs:
               -PspringPulsarVersion="$VERSION" \
               :runAllSampleTests
   scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          ignore-unfixed: true
-          format: 'table'
-          output: 'trivy-results.txt'
-          severity: 'CRITICAL,HIGH'
-          exit-code: 1
-      - name: Upload Trivy scan results
-        if: failure()
-        uses: actions/upload-artifact@v3
-        with:
-          name: trivy-results
-          path: 'trivy-results.txt'
-          retention-days: 3
-      - name: 'Scanned'
-        shell: bash
-        run: echo "::info ::Scanned"
+    needs: [prerequisites]
+    if: needs.prerequisites.outputs.runjobs
+    uses: ./.github/workflows/trivy-scan.yml
+
   done:
     runs-on: ubuntu-latest
     needs: [ build_and_verify, check_samples, scan ]

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,7 +21,6 @@ env:
   ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
   ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
 
-jobs:
   prerequisites:
     name: Pre-requisites for building
     runs-on: ubuntu-latest
@@ -84,27 +83,16 @@ jobs:
               -PspringPulsarVersion="$VERSION" \
               :runAllSampleTests
   scan:
-    name: Run Trivy Scan
     needs: [prerequisites]
-    runs-on: ubuntu-latest
     if: needs.prerequisites.outputs.runjobs
-    steps:
-      - uses: actions/checkout@v3
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: 'trivy-results.sarif'
-      - name: 'Scanned'
-        shell: bash
-        run: echo "::info ::Scanned"
+    uses: ./.github/workflows/trivy-scan.yml
+    with:
+      config-path: .github/trivy-to-sarif.yaml
+  upload_scan_to_github:
+    needs: [scan]
+    uses: github/codeql-action/upload-sarif@v2
+    with:
+      sarif_file: 'trivy-results.sarif'
   deploy_artifacts:
     name: Deploy Artifacts
     needs: [build_jdk_17, check_samples, scan]

diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
@@ -2,12 +2,25 @@ name: Trivy Vulnerability Scan (Repo mode)
 
 on:
   workflow_dispatch:
+    inputs:
+      config-path:
+        description: 'Relative path to Trivy config file'
+        default: '.github/trivy-to-console.yaml'
+        required: false
+        type: string
+
+  workflow_call:
+    inputs:
+      config-path:
+        description: 'Relative path to Trivy config file'
+        default: '.github/trivy-to-console.yaml'
+        required: false
+        type: string
 
 jobs:
   run_trivy_scan:
     name: Run Trivy Scan
     runs-on: ubuntu-latest
-    if: github.repository == 'spring-projects/spring-pulsar'
     env:
       LOCAL_REPOSITORY_PATH: ./build/publications/repos
     steps:
@@ -16,22 +29,9 @@ jobs:
       - name: Publish to local repo (poms)
         run: |
           ./gradlew publishMavenJavaPublicationToLocalRepository
-      - name: Run Trivy scan in repo mode
+      - name: Run Trivy scan in repo mode (fs)
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'fs'
           scan-ref: '${{ env.LOCAL_REPOSITORY_PATH }}/org/springframework/pulsar'
-          trivy-config: .github/trivy.yaml
-
-      # - name: Output Trivy scan results
-      #   if: always()
-      #   run: |
-      #     cat trivy-results.json
-
-      # - name: Upload Trivy scan results
-      #   uses: actions/upload-artifact@v3
-      #   if: always()
-      #   with:
-      #     name: trivy-results
-      #     path: trivy-results.json
-      #     retention-days: 3
+          trivy-config: ${{ inputs.config-path }}