首頁 探索 說明
登入
tum
/
soc
關註 1
讚好 0
複刻 0
代碼 問題管理 0 合併請求 0 提交歷史 2 版本發佈 0 Wiki

暫無描述

目錄樹: 9ffefbf37c
分支列表 標籤列表
soc
/
wazuh-docker
/
.github
/
workflows
/
trivy-dashbo...

trivy-dashboard.yml 2.5KB
文件歷史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. # This workflow uses actions that are not certified by GitHub.
    2. 

  2. # They are provided by a third-party and are governed by
    3. 

  3. # separate terms of service, privacy policy, and support
    4. 

  4. # documentation.
    5. 

  5. 

  6. name: Trivy scan Wazuh dashboard
    7. 

  7. 

  8. on:
    9. 

  9.   release:
    10. 

  10.     types:
    11. 

  11.     - published
    12. 

  12.   pull_request:
    13. 

  13.     branches:
    14. 

  14.       - main
    15. 

  15.   schedule:
    16. 

  16.     - cron: '34 2 * * 1'
    17. 

  17.   workflow_dispatch:
    18. 

  18. 

  19. permissions:
    20. 

  20.   contents: read
    21. 

  21. 

  22. jobs:
    23. 

  23.   build:
    24. 

  24.     permissions:
    25. 

  25.       contents: read # for actions/checkout to fetch code
    26. 

  26.       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    27. 

  27. 

  28.     name: Build images and upload Trivy results
    29. 

  29.     runs-on: "ubuntu-22.04"
    30. 

  30.     steps:
    31. 

  31.       - name: Checkout code
    32. 

  32.         uses: actions/checkout@v3
    33. 

  33. 

  34.       - name: Installing dependencies
    35. 

  35.         run: |
    36. 

  36.           sudo apt-get update
    37. 

  37.           sudo apt-get install -y jq
    38. 

  38. 

  39.       - name: Checkout latest tag
    40. 

  40.         run: |
    41. 

  41.           latest=$(curl -s "https://api.github.com/repos/wazuh/wazuh-docker/releases/latest" | jq -r '.tag_name')
    42. 

  42.           git fetch origin
    43. 

  43.           git checkout $latest
    44. 

  44. 

  45.       - name: Build Wazuh images
    46. 

  46.         run: build-docker-images/build-images.sh
    47. 

  47. 

  48.       - name: Create enviroment variables
    49. 

  49.         run: |
    50. 

  50.           cat .env > $GITHUB_ENV
    51. 

  51.           echo "GITHUB_REF_NAME="${GITHUB_REF_NAME%/*} >> $GITHUB_ENV
    52. 

  52. 

  53.       - name: Run Trivy vulnerability scanner for Wazuh dashboard
    54. 

  54.         uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
    55. 

  55.         with:
    56. 

  56.           image-ref: 'wazuh/wazuh-dashboard:${{env.WAZUH_IMAGE_VERSION}}'
    57. 

  57.           format: 'template'
    58. 

  58.           template: '@/contrib/sarif.tpl'
    59. 

  59.           output: 'trivy-results-dashboard.sarif'
    60. 

  60.           severity: 'LOW,MEDIUM,CRITICAL,HIGH'
    61. 

  61. 

  62.       - name: Upload Trivy scan results to GitHub Security tab
    63. 

  63.         uses: github/codeql-action/upload-sarif@v2
    64. 

  64.         with:
    65. 

  65.           sarif_file: 'trivy-results-dashboard.sarif'
    66. 

  66. 

  67.       - name: Slack notification
    68. 

  68.         uses: rtCamp/action-slack-notify@v2
    69. 

  69.         env:
    70. 

  70.           SLACK_CHANNEL: cicd-monitoring
    71. 

  71.           SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
    72. 

  72.           #SLACK_ICON: https://github.com/rtCamp.png?size=48
    73. 

  73.           SLACK_MESSAGE: "Check the results: https://github.com/wazuh/wazuh-docker/security/code-scanning?query=is%3Aopen+branch%3A${{ env.GITHUB_REF_NAME }}"
    74. 

  74.           SLACK_TITLE: Wazuh docker Trivy vulnerability scan finished.
    75. 

  75.           SLACK_USERNAME: github_actions
    76. 

  76.           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
    77.