Trivy Scan #138
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Scan | |
| on: | |
| schedule: | |
| # Run at midnight SGT (UTC+8) daily - 16:00 UTC | |
| - cron: '0 16 * * *' | |
| push: | |
| branches: [dev] | |
| workflow_dispatch: | |
| jobs: | |
| trivy-scan: | |
| runs-on: ubuntu-latest | |
| env: | |
| TRIVY_EXCLUDE_SERVICES: ${{ secrets.TRIVY_EXCLUDE_SERVICES }} | |
| steps: | |
| - name: Maximize build space | |
| uses: AdityaGarg8/remove-unwanted-software@v4.1 | |
| with: | |
| remove-android: 'true' | |
| remove-haskell: 'true' | |
| remove-codeql: 'true' | |
| - name: Free up additional space | |
| run: | | |
| sudo rm -rf /usr/share/dotnet | |
| sudo rm -rf /usr/local/lib/android | |
| sudo rm -rf /opt/ghc | |
| sudo rm -rf /opt/hostedtoolcache/CodeQL | |
| sudo docker system prune -af | |
| sudo apt-get autoremove -y | |
| sudo apt-get autoclean | |
| echo "=== Disk space after cleanup ===" | |
| df -h | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Install Trivy CLI | |
| run: | | |
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Extract metadata | |
| id: meta | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short HEAD) | |
| echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV | |
| git fetch --tags | |
| LATEST_TAG=$(git tag --list 'v*.*.*' | sort -V | tail -n1) | |
| FALLBACK_TAG="${LATEST_TAG:-v0.0.0}" | |
| echo "GIT_TAG=${FALLBACK_TAG}-${SHORT_SHA}" >> $GITHUB_ENV | |
| echo "REPO_OWNER_LC=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_ENV | |
| - name: Copy example.env to .env | |
| run: | | |
| echo "Copying example.env to .env..." | |
| find . -name "example.env" | while read f; do | |
| cp "$f" "$(dirname "$f")/.env" | |
| echo "✓ Created $(dirname "$f")/.env" | |
| done | |
| - name: Run Trivy scan for each service individually | |
| run: | | |
| echo "=== Getting all services from docker-compose.yml ===" | |
| ALL_SERVICES=$(docker compose config --services) | |
| FAILED_SERVICES="" | |
| SUCCESSFUL_SERVICES="" | |
| for SERVICE in $ALL_SERVICES; do | |
| if [[ " $TRIVY_EXCLUDE_SERVICES " =~ " $SERVICE " ]]; then | |
| echo "Skipping $SERVICE (excluded via secret)" | |
| continue | |
| fi | |
| echo "" | |
| echo "==========================================" | |
| echo "Scanning $SERVICE" | |
| echo "==========================================" | |
| # Build the service | |
| echo "Building $SERVICE..." | |
| docker compose build $SERVICE | |
| # Get image ID for this service | |
| IMAGE_ID=$(docker images --filter=reference="*${SERVICE}*" --format "{{.ID}}" | head -n1) | |
| if [[ -z "$IMAGE_ID" ]]; then | |
| echo "✗ No image found for $SERVICE after build" | |
| FAILED_SERVICES="$FAILED_SERVICES $SERVICE" | |
| continue | |
| fi | |
| echo "Running Trivy scan on $SERVICE ($IMAGE_ID)..." | |
| if trivy image --exit-code 1 --severity CRITICAL,HIGH --no-progress "$IMAGE_ID"; then | |
| echo "✓ $SERVICE passed Trivy scan" | |
| SUCCESSFUL_SERVICES="$SUCCESSFUL_SERVICES $SERVICE" | |
| else | |
| echo "✗ $SERVICE failed Trivy scan" | |
| FAILED_SERVICES="$FAILED_SERVICES $SERVICE" | |
| fi | |
| # Clean up this service’s build artifacts | |
| docker compose rm -f $SERVICE || true | |
| docker builder prune --force | |
| docker system prune --force | |
| echo "=== Disk space after scanning $SERVICE ===" | |
| df -h | grep -E "(/$)" | |
| done | |
| echo "" | |
| echo "==========================================" | |
| echo "TRIVY SCAN SUMMARY" | |
| echo "==========================================" | |
| if [ ! -z "$SUCCESSFUL_SERVICES" ]; then | |
| echo "✓ PASSED:$SUCCESSFUL_SERVICES" | |
| fi | |
| if [ ! -z "$FAILED_SERVICES" ]; then | |
| echo "✗ FAILED:$FAILED_SERVICES" | |
| exit 1 | |
| fi | |
| echo "All services passed Trivy scan!" |