postgres-containers/.github/actions/security-scans/action.yml at efcc5a2e27d7987660227c8c2deea893c25133aa · cloudnative-pg/postgres-containers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Security Scans
description: Security Scans
inputs:
  image:
    description: "The image to scan"
    required: true
  registry_user:
    description: "The user used to pull the image"
    required: true
  registry_token:
    description: "The token used to pull the image"
    required: true
  snyk_token:
    description: "The snyk authentication token"
    required: false
  dockerfile:
    description: "The image's Dockerfile"
    required: false
    default: './Dockerfile'

runs:
  using: composite
  steps:
    - name: Log in to the GitHub Container registry
      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
      with:
        registry: ghcr.io
        username: ${{ inputs.registry_user }}
        password: ${{ inputs.registry_token }}

    - name: Dockle
      uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
      with:
        image: "${{ inputs.image }}"
        exit-code: '1'
        failure-threshold: WARN
        accept-keywords: key
        accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py

    - name: Snyk
      uses: snyk/actions/docker@master
      id: snyk
      if: ${{ inputs.snyk_token != '' }}
      # Snyk can be used to break the build when it detects vulnerabilities.
      # In this case we want to upload the issues to GitHub Code Scanning.
      continue-on-error: true
      env:
        SNYK_TOKEN: ${{ inputs.snyk_token }}
      with:
        image: "${{ inputs.image }}"
        args: --severity-threshold=high --file=${{ inputs.dockerfile }}

    - name: Replace sarif security-severity invalid values
      if: ${{ hashFiles('snyk.sarif') != '' }}
      shell: bash
      run: |
        sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
        sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif

    - name: Upload result to GitHub Code Scanning
      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
      if: ${{ hashFiles('snyk.sarif') != '' }}
      with:
        sarif_file: snyk.sarif

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      id: trivy
      continue-on-error: true
      with:
        version: 'latest'
        image-ref: '${{ inputs.image }}'
        format: 'sarif'
        output: 'trivy-results.sarif'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
      if: ${{ hashFiles('trivy-results.sarif') != '' }}
      with:
        sarif_file: 'trivy-results.sarif'

    - name: Review Security checks
      if: ${{ hashFiles('snyk.sarif') == '' && hashFiles('trivy-results.sarif') == '' }}
      shell: bash
      run: |
        echo "None of the security checks produced results (Snyk and Trivy)"
        exit 1