From 7a94dda076120fba017eb07d2f2a9812ea132dc1 Mon Sep 17 00:00:00 2001 From: appleboy Date: Fri, 28 Nov 2025 21:43:07 +0800 Subject: [PATCH] ci: integrate automated Trivy security scanning in CI workflows - Add explicit permissions for contents, packages, and security-events to the Docker GitHub Actions workflow - Integrate Trivy vulnerability scanning and results upload into the Docker workflow - Add a dedicated GitHub Actions workflow for Trivy security scanning of both repository files and Docker images, with scheduled, push, and pull request triggers - Ensure Trivy SARIF results are uploaded to the GitHub Security tab after scans Signed-off-by: appleboy --- .github/workflows/docker.yml | 31 +++++++++++++ .github/workflows/trivy.yml | 85 ++++++++++++++++++++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 3d89db4..16df5df 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,6 +10,11 @@ on: branches: - "master" +permissions: + contents: read + packages: write + security-events: write + jobs: build-docker: runs-on: ubuntu-latest @@ -60,7 +65,33 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} + - name: Build image for scanning + uses: docker/build-push-action@v6 + with: + context: . + platforms: linux/amd64 + file: docker/Dockerfile + push: false + load: true + tags: ${{ github.repository }}:scan + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ github.repository }}:scan" + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + exit-code: "1" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: "trivy-results.sarif" + - name: Build and push + if: success() uses: docker/build-push-action@v6 with: context: . diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..b9f6bb2 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,85 @@ +name: Trivy Security Scan + +on: + push: + branches: + - master + pull_request: + branches: + - master + schedule: + # Run daily at 00:00 UTC + - cron: "0 0 * * *" + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + trivy-repo-scan: + name: Trivy Repository Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner (repo) + uses: aquasecurity/trivy-action@master + with: + scan-type: "fs" + scan-ref: "." + format: "sarif" + output: "trivy-repo-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: "trivy-repo-results.sarif" + + trivy-image-scan: + name: Trivy Image Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + check-latest: true + + - name: Build binary + run: | + make build_linux_amd64 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image for scanning + uses: docker/build-push-action@v6 + with: + context: . + file: docker/Dockerfile + platforms: linux/amd64 + push: false + load: true + tags: drone-ssh:scan + + - name: Run Trivy vulnerability scanner (image) + uses: aquasecurity/trivy-action@master + with: + image-ref: "drone-ssh:scan" + format: "sarif" + output: "trivy-image-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy image scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: "trivy-image-results.sarif" + category: "trivy-image"