trivy scan for GH actions (#815)

* ci(acions): Chalice security scan * chore(api): Fix building chalice
2022-11-15 11:30:41 +00:00 · 2022-11-15 11:30:41 +00:00 · 994ee425f0
commit 994ee425f0
parent 5c3c1ed001
3 changed files with 44 additions and 3 deletions
--- a/.github/workflows/api-ee.yaml
+++ b/.github/workflows/api-ee.yaml
@ -1,6 +1,11 @@
 # This action will push the chalice changes to aws
 on:
  workflow_dispatch:
+    inputs:
+      skip_security_checks:
+        description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false'
+        required: false
+        default: 'false'
  push:
    branches:
      - dev
@ -46,8 +51,23 @@ jobs:
        IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee
        ENVIRONMENT: staging
      run: |
+        skip_security_checks=${{ github.event.inputs.skip_security_checks }}
        cd api
-        PUSH_IMAGE=1 bash build.sh ee
+        PUSH_IMAGE=0 bash -x ./build.sh ee
+        [[ "x$skip_security_checks" == "xtrue" ]]  || {
+          curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ 
+          images=("chalice" "alerts")
+          for image in ${images[*]};do
+            ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL"  --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG 
+          done
+          err_code=$?
+          [[ $err_code -ne 0 ]] && {
+            exit $err_code
+          }
+        } && {
+          echo "Skipping Security Checks"
+        }
+        PUSH_IMAGE=1 bash -x ./build.sh ee
    - name: Creating old image input
      run: |
        #
--- a/.github/workflows/api.yaml
+++ b/.github/workflows/api.yaml
@ -1,6 +1,11 @@
 # This action will push the chalice changes to aws
 on:
  workflow_dispatch:
+    inputs:
+      skip_security_checks:
+        description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false'
+        required: false
+        default: 'false'
  push:
    branches:
      - dev
@ -45,8 +50,23 @@ jobs:
        IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}
        ENVIRONMENT: staging
      run: |
+        skip_security_checks=${{ github.event.inputs.skip_security_checks }}
        cd api
-        PUSH_IMAGE=1 bash build.sh
+        PUSH_IMAGE=0 bash -x ./build.sh
+        [[ "x$skip_security_checks" == "xtrue" ]]  || {
+          curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ 
+          images=("chalice" "alerts")
+          for image in ${images[*]};do
+            ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL"  --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG 
+          done
+          err_code=$?
+          [[ $err_code -ne 0 ]] && {
+            exit $err_code
+          }
+        } && {
+          echo "Skipping Security Checks"
+        }
+        PUSH_IMAGE=1 bash -x ./build.sh
    - name: Creating old image input
      run: |
        #
--- a/api/build.sh
+++ b/api/build.sh
@ -49,8 +49,9 @@ build_api $1
 echo buil_complete
 IMAGE_TAG=$IMAGE_TAG PUSH_IMAGE=$PUSH_IMAGE DOCKER_REPO=$DOCKER_REPO bash build_alerts.sh $1

+echo "alerts done"
 [[ $1 == "ee" ]] && {
  cp ../ee/api/build_crons.sh .
  IMAGE_TAG=$IMAGE_TAG PUSH_IMAGE=$PUSH_IMAGE DOCKER_REPO=$DOCKER_REPO bash build_crons.sh $1
  rm build_crons.sh
-}
+} || true