From 432106fa2978b270ff6751ec3231f11128a8e0d6 Mon Sep 17 00:00:00 2001 From: Dorian Grasset Date: Wed, 4 Jun 2025 15:50:41 +0200 Subject: [PATCH 1/3] ci: add scans with trivy & gitleaks --- .github/workflows/gitleaks.yml | 39 ++++++++++++++++++++++++++++++++ .github/workflows/trivy.yml | 41 ++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 .github/workflows/gitleaks.yml create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..e7f7c50 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,39 @@ +name: Gitleaks Scan + +on: + pull_request: + branches: + - main + +jobs: + gitleaks: + name: Gitleaks OSS Scan + runs-on: ubuntu-24.04 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Download Gitleaks 8.27.0 + run: | + curl -sSL -o gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.27.0/gitleaks_8.27.0_linux_x64.tar.gz + echo "ba75459d765ebc9e940c0123a2d41a29e87be674b5ecaaacd5f82f26009255d5 gitleaks.tar.gz" | sha256sum -c - + + - name: Extract and install Gitleaks + run: | + tar -xzf gitleaks.tar.gz + sudo mv gitleaks /usr/local/bin/ + gitleaks version + + - name: Run Gitleaks + run: | + gitleaks detect --source . \ + --report-path=gitleaks-report.sarif \ + --redact \ + --exit-code 1 + + - name: Upload SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: gitleaks-report.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..79e73ca --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,41 @@ +name: Trivy Scan + +on: + pull_request: + branches: + - main + +jobs: + trivy-scan: + name: Trivy - Docker Image & Code Scan + runs-on: ubuntu-24.04 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker (optional, ensures clean setup) + run: docker system prune -af + + - name: Build Docker image locally + run: docker build -t gistsapp/api:${{ github.sha }} . + + - name: Run Trivy image scan + uses: aquasecurity/trivy-action@0.31.0 + with: + image-ref: 'gistsapp/api:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - name: Run Trivy filesystem scan + uses: aquasecurity/trivy-action@0.31.0 + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' From 6d6d7f3867ae942483e057c3f1400c45078e9625 Mon Sep 17 00:00:00 2001 From: Dorian Grasset Date: Wed, 4 Jun 2025 16:04:06 +0200 Subject: [PATCH 2/3] ci: update gitleaks version & allow trivy fs scan even if image scan didnt work --- .github/workflows/gitleaks.yml | 4 ++-- .github/workflows/trivy.yml | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index e7f7c50..32eb3fc 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -34,6 +34,6 @@ jobs: - name: Upload SARIF report if: always() - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: gitleaks-report.sarif + sarif_file: gitleaks-report.sarif \ No newline at end of file diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 79e73ca..95201c0 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -21,6 +21,8 @@ jobs: run: docker build -t gistsapp/api:${{ github.sha }} . - name: Run Trivy image scan + id: trivy_image + continue-on-error: true uses: aquasecurity/trivy-action@0.31.0 with: image-ref: 'gistsapp/api:${{ github.sha }}' @@ -31,6 +33,8 @@ jobs: severity: 'CRITICAL,HIGH' - name: Run Trivy filesystem scan + id: trivy_fs + continue-on-error: true uses: aquasecurity/trivy-action@0.31.0 with: scan-type: 'fs' @@ -39,3 +43,12 @@ jobs: exit-code: '1' ignore-unfixed: true severity: 'CRITICAL,HIGH' + + - name: Fail job if any Trivy scan failed + run: | + if [ "${{ steps.trivy_image.outcome }}" != "success" ] || [ "${{ steps.trivy_fs.outcome }}" != "success" ]; then + echo "❌ One or both Trivy scans failed." + exit 1 + else + echo "✅ Both Trivy scans passed." + fi From c007971363cc59fab111f30208401f6d6626131a Mon Sep 17 00:00:00 2001 From: Dorian Grasset Date: Wed, 4 Jun 2025 16:07:13 +0200 Subject: [PATCH 3/3] ci: remove fs scan in trivy --- .github/workflows/trivy.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 95201c0..07a846b 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -31,24 +31,3 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - - - name: Run Trivy filesystem scan - id: trivy_fs - continue-on-error: true - uses: aquasecurity/trivy-action@0.31.0 - with: - scan-type: 'fs' - scan-ref: '.' - format: 'table' - exit-code: '1' - ignore-unfixed: true - severity: 'CRITICAL,HIGH' - - - name: Fail job if any Trivy scan failed - run: | - if [ "${{ steps.trivy_image.outcome }}" != "success" ] || [ "${{ steps.trivy_fs.outcome }}" != "success" ]; then - echo "❌ One or both Trivy scans failed." - exit 1 - else - echo "✅ Both Trivy scans passed." - fi