Check fleetdm/wix for vulnerabilities #203
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check fleetdm/wix for vulnerabilities | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| build_image: | |
| description: "Scan locally-built image instead of published image" | |
| type: boolean | |
| default: false | |
| schedule: | |
| - cron: "0 6 * * *" | |
| # This allows a subsequently queued workflow run to interrupt previous runs | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
| shell: bash | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-published: | |
| runs-on: ubuntu-22.04 | |
| environment: Docker Hub | |
| permissions: | |
| id-token: write # for aws-actions/configure-aws-credentials | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Build fleetdm/wix | |
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.build_image }} | |
| run: make wix-docker | |
| - name: Clean up Docker build cache | |
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.build_image }} | |
| run: docker builder prune -af | |
| - name: List VEX files | |
| id: generate_vex_files | |
| run: | | |
| echo "VEX_FILES=$(ls -1 ./security/vex/wix/ | while IFS= read -r line; do echo "./security/vex/wix/$line"; done | tr '\n' ',' | sed 's/.$//')" >> $GITHUB_OUTPUT | |
| # We use the trivy command and not the github action because it doesn't support loading VEX files yet. | |
| - name: Run Trivy vulnerability scanner on fleetdm/wix | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | |
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db | |
| run: | | |
| mkdir trivy-download | |
| cd trivy-download | |
| curl -L https://github.com/aquasecurity/trivy/releases/download/v0.69.2/trivy_0.69.2_Linux-64bit.tar.gz --output trivy_0.69.2_Linux-64bit.tar.gz | |
| tar -xf trivy_0.69.2_Linux-64bit.tar.gz | |
| mv trivy .. | |
| cd .. | |
| chmod +x ./trivy | |
| ./trivy image \ | |
| --exit-code=1 \ | |
| --ignore-unfixed \ | |
| --pkg-types=os,library \ | |
| --severity=HIGH,CRITICAL \ | |
| --vex="${{ steps.generate_vex_files.outputs.VEX_FILES }}" \ | |
| --format=json \ | |
| --output=trivy-results.json \ | |
| fleetdm/wix || trivy_exit_code=$? | |
| # Print a human-readable table to the job log for debugging. | |
| ./trivy convert --format table trivy-results.json | |
| exit "${trivy_exit_code:-0}" | |
| - name: Extract CVE list for Slack notification | |
| id: extract_cves | |
| if: failure() | |
| run: | | |
| if [ -f trivy-results.json ]; then | |
| # `safe` JSON-escapes string fields so they can be embedded inline in | |
| # the Slack payload JSON (titles can contain quotes, backslashes, etc.). | |
| # `\\n` (literal backslash-n) is used as the separator so the value | |
| # stays on a single line in $GITHUB_OUTPUT and Slack renders it as a | |
| # newline when parsing the JSON payload. | |
| cve_list=$(jq -r ' | |
| def safe(s): (s // "") | tojson | .[1:-1]; | |
| [.Results[]?.Vulnerabilities[]?] | |
| | unique_by(.VulnerabilityID + "|" + (.PkgName // "")) | |
| | sort_by(.Severity, .VulnerabilityID) | |
| | map("• *\(.VulnerabilityID)* (\(.Severity // "UNKNOWN")) — \(safe(.PkgName // "?")) \(safe(.InstalledVersion // "?")) → \(safe(.FixedVersion // "?"))\\n _\(safe(.Title // "(no title)"))_") | |
| | join("\\n") | |
| ' trivy-results.json) | |
| fi | |
| echo "cve_list=${cve_list:-(no CVE list available — check job logs)}" >> "$GITHUB_OUTPUT" | |
| - name: Slack notification | |
| if: github.event.schedule == '0 6 * * *' && failure() | |
| uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
| with: | |
| payload: | | |
| { | |
| "text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "⚠️ Build fleetdm/wix and check vulnerabilities failed.\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}\n\n*Detected CVEs:*\n${{ steps.extract_cves.outputs.cve_list }}" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_ORCHESTRATION_WEBHOOK_URL }} | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |