From 9ce24ff32cccf3e24edb216dd7c986f5fcf1eff4 Mon Sep 17 00:00:00 2001 From: Akhil Anand Date: Tue, 10 Oct 2023 18:28:39 +0530 Subject: [PATCH 1/3] feature-5232-Trivy-Security-Scans --- .github/workflows/trivy.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..72532b4612 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,27 @@ +name: Trivy + +on: + pull_request: + push: + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v3 + with: + submodules: recursive + + + - name: Build the Docker image + run: docker build . -t appwrite_image:latest + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'appwrite_image:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: 'false' + severity: 'CRITICAL,HIGH' From 56e261023cae9e0ad03c0835de65c482596455f6 Mon Sep 17 00:00:00 2001 From: Akhil Anand <71667635+btme0011@users.noreply.github.com> Date: Fri, 19 Jan 2024 12:54:22 +0530 Subject: [PATCH 2/3] Update .github/workflows/trivy.yml Co-authored-by: Steven Nguyen <1477010+stnguyen90@users.noreply.github.com> --- .github/workflows/trivy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 72532b4612..4628388bd6 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -13,7 +13,6 @@ jobs: with: submodules: recursive - - name: Build the Docker image run: docker build . -t appwrite_image:latest From 4726c5cec3d9e2541ec6328ea5f3c3ee74ad73c3 Mon Sep 17 00:00:00 2001 From: Evan Date: Thu, 1 Aug 2024 15:38:15 -0700 Subject: [PATCH 3/3] Security Scan Refactor --- .github/workflows/nightly.yml | 47 +++++++++++++++++++++++++++++++++++ .github/workflows/trivy.yml | 26 ------------------- 2 files changed, 47 insertions(+), 26 deletions(-) create mode 100644 .github/workflows/nightly.yml delete mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml new file mode 100644 index 0000000000..80d880244c --- /dev/null +++ b/.github/workflows/nightly.yml @@ -0,0 +1,47 @@ +name: Nightly Security Scan +on: + schedule: + - cron: '0 0 * * *' # 12am UTC daily runtime + workflow_dispatch: + +jobs: + scan-image: + name: Scan Docker Image + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + with: + submodules: recursive + - name: Build the Docker image + run: docker build . -t appwrite_image:latest + - name: Run Trivy vulnerability scanner on image + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: 'appwrite_image:latest' + format: 'sarif' + output: 'trivy-image-results.sarif' + ignore-unfixed: 'false' + severity: 'CRITICAL,HIGH' + - name: Upload Docker Image Scan Results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-image-results.sarif' + + scan-code: + name: Scan Code + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner on filesystem + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: 'fs' + format: 'sarif' + output: 'trivy-fs-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Upload Code Scan Results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-fs-results.sarif' diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml deleted file mode 100644 index 4628388bd6..0000000000 --- a/.github/workflows/trivy.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Trivy - -on: - pull_request: - push: - -jobs: - scan: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v3 - with: - submodules: recursive - - - name: Build the Docker image - run: docker build . -t appwrite_image:latest - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'appwrite_image:latest' - format: 'table' - exit-code: '1' - ignore-unfixed: 'false' - severity: 'CRITICAL,HIGH'