From 4e966c432fb98733094e06e06b2a30e41df29935 Mon Sep 17 00:00:00 2001 From: Brett Date: Sun, 20 Apr 2025 09:16:18 +0200 Subject: [PATCH 1/3] Create image-vuln-scan.yml --- .github/workflows/image-vuln-scan.yml | 54 +++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/image-vuln-scan.yml diff --git a/.github/workflows/image-vuln-scan.yml b/.github/workflows/image-vuln-scan.yml new file mode 100644 index 0000000..64fa0e0 --- /dev/null +++ b/.github/workflows/image-vuln-scan.yml @@ -0,0 +1,54 @@ +name: Daily DockerHub Vulnerability Scan + +on: + schedule: + - cron: '30 9 * * *' # Every day at 9:30 AM UTC + workflow_dispatch: # Allow manual trigger + +jobs: + scan-images: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Trivy + uses: aquasecurity/trivy-action@master + + - name: Create report directory + run: mkdir -p reports + + - name: Define DockerHub images to scan + id: image-list + run: | + echo "IMAGES=ckan/ckan-base:2.11 ckan/ckan-dev:2.11" >> $GITHUB_ENV + + - name: Scan DockerHub images with Trivy + run: | + for IMAGE in $IMAGES; do + SAFE_IMAGE_NAME=$(echo $IMAGE | sed 's/[:\/]/_/g') + trivy image --severity CRITICAL,HIGH --format table --output "reports/${SAFE_IMAGE_NAME}.txt" $IMAGE + done + + - name: Combine reports into one + run: | + echo "Docker Image Vulnerability Report - $(date)" > reports/final_report.txt + echo "=========================================" >> reports/final_report.txt + for FILE in reports/*.txt; do + [ "$FILE" != "reports/final_report.txt" ] && cat "$FILE" >> reports/final_report.txt && echo -e "\n\n" >> reports/final_report.txt + done + + - name: Send report via email + uses: dawidd6/action-send-mail@v3 + with: + server_address: smtp.example.com + server_port: 587 + username: ${{ secrets.EMAIL_USERNAME }} + password: ${{ secrets.EMAIL_PASSWORD }} + subject: "DockerHub Vulnerability Report - $(date +'%Y-%m-%d')" + to: brett@kowh.ai + from: GitHub Actions + content_type: text/plain + body: | + Please find the attached daily vulnerability report for DockerHub images. + attachments: reports/final_report.txt From 6576191e621da6cbd69c669743953cd8c5ce0837 Mon Sep 17 00:00:00 2001 From: Brett Date: Mon, 28 Apr 2025 16:27:30 +0200 Subject: [PATCH 2/3] updates --- .github/workflows/image-vuln-scan-SAVED.yml | 54 +++++++++++++++++++++ .github/workflows/image-vuln-scan.yml | 32 ++++++------ 2 files changed, 68 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/image-vuln-scan-SAVED.yml diff --git a/.github/workflows/image-vuln-scan-SAVED.yml b/.github/workflows/image-vuln-scan-SAVED.yml new file mode 100644 index 0000000..64fa0e0 --- /dev/null +++ b/.github/workflows/image-vuln-scan-SAVED.yml @@ -0,0 +1,54 @@ +name: Daily DockerHub Vulnerability Scan + +on: + schedule: + - cron: '30 9 * * *' # Every day at 9:30 AM UTC + workflow_dispatch: # Allow manual trigger + +jobs: + scan-images: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Trivy + uses: aquasecurity/trivy-action@master + + - name: Create report directory + run: mkdir -p reports + + - name: Define DockerHub images to scan + id: image-list + run: | + echo "IMAGES=ckan/ckan-base:2.11 ckan/ckan-dev:2.11" >> $GITHUB_ENV + + - name: Scan DockerHub images with Trivy + run: | + for IMAGE in $IMAGES; do + SAFE_IMAGE_NAME=$(echo $IMAGE | sed 's/[:\/]/_/g') + trivy image --severity CRITICAL,HIGH --format table --output "reports/${SAFE_IMAGE_NAME}.txt" $IMAGE + done + + - name: Combine reports into one + run: | + echo "Docker Image Vulnerability Report - $(date)" > reports/final_report.txt + echo "=========================================" >> reports/final_report.txt + for FILE in reports/*.txt; do + [ "$FILE" != "reports/final_report.txt" ] && cat "$FILE" >> reports/final_report.txt && echo -e "\n\n" >> reports/final_report.txt + done + + - name: Send report via email + uses: dawidd6/action-send-mail@v3 + with: + server_address: smtp.example.com + server_port: 587 + username: ${{ secrets.EMAIL_USERNAME }} + password: ${{ secrets.EMAIL_PASSWORD }} + subject: "DockerHub Vulnerability Report - $(date +'%Y-%m-%d')" + to: brett@kowh.ai + from: GitHub Actions + content_type: text/plain + body: | + Please find the attached daily vulnerability report for DockerHub images. + attachments: reports/final_report.txt diff --git a/.github/workflows/image-vuln-scan.yml b/.github/workflows/image-vuln-scan.yml index 64fa0e0..6acee74 100644 --- a/.github/workflows/image-vuln-scan.yml +++ b/.github/workflows/image-vuln-scan.yml @@ -12,8 +12,13 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - - name: Set up Trivy - uses: aquasecurity/trivy-action@master + - name: Set up Snyk + uses: snyk/actions/setup@v2 + with: + version: 'latest' + + - name: Authenticate Snyk + run: snyk auth ${{ secrets.SNYK_TOKEN }} - name: Create report directory run: mkdir -p reports @@ -23,32 +28,23 @@ jobs: run: | echo "IMAGES=ckan/ckan-base:2.11 ckan/ckan-dev:2.11" >> $GITHUB_ENV - - name: Scan DockerHub images with Trivy + - name: Scan DockerHub images with Snyk run: | for IMAGE in $IMAGES; do SAFE_IMAGE_NAME=$(echo $IMAGE | sed 's/[:\/]/_/g') - trivy image --severity CRITICAL,HIGH --format table --output "reports/${SAFE_IMAGE_NAME}.txt" $IMAGE + snyk container test $IMAGE --json > "reports/${SAFE_IMAGE_NAME}.json" done - name: Combine reports into one run: | echo "Docker Image Vulnerability Report - $(date)" > reports/final_report.txt echo "=========================================" >> reports/final_report.txt - for FILE in reports/*.txt; do + for FILE in reports/*.json; do [ "$FILE" != "reports/final_report.txt" ] && cat "$FILE" >> reports/final_report.txt && echo -e "\n\n" >> reports/final_report.txt done - - name: Send report via email - uses: dawidd6/action-send-mail@v3 + - name: Upload report as artifact + uses: actions/upload-artifact@v3 with: - server_address: smtp.example.com - server_port: 587 - username: ${{ secrets.EMAIL_USERNAME }} - password: ${{ secrets.EMAIL_PASSWORD }} - subject: "DockerHub Vulnerability Report - $(date +'%Y-%m-%d')" - to: brett@kowh.ai - from: GitHub Actions - content_type: text/plain - body: | - Please find the attached daily vulnerability report for DockerHub images. - attachments: reports/final_report.txt + name: docker-vulnerability-report + path: reports/ From 21c583d523241c2ffc74bc6401b908b0926325e5 Mon Sep 17 00:00:00 2001 From: Brett Date: Mon, 5 May 2025 13:41:39 +0200 Subject: [PATCH 3/3] updates --- .github/workflows/image-vuln-scan-SAVED.yml | 54 --------------- .github/workflows/image-vuln-scan.yml | 75 +++++++++++---------- 2 files changed, 39 insertions(+), 90 deletions(-) delete mode 100644 .github/workflows/image-vuln-scan-SAVED.yml diff --git a/.github/workflows/image-vuln-scan-SAVED.yml b/.github/workflows/image-vuln-scan-SAVED.yml deleted file mode 100644 index 64fa0e0..0000000 --- a/.github/workflows/image-vuln-scan-SAVED.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Daily DockerHub Vulnerability Scan - -on: - schedule: - - cron: '30 9 * * *' # Every day at 9:30 AM UTC - workflow_dispatch: # Allow manual trigger - -jobs: - scan-images: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Set up Trivy - uses: aquasecurity/trivy-action@master - - - name: Create report directory - run: mkdir -p reports - - - name: Define DockerHub images to scan - id: image-list - run: | - echo "IMAGES=ckan/ckan-base:2.11 ckan/ckan-dev:2.11" >> $GITHUB_ENV - - - name: Scan DockerHub images with Trivy - run: | - for IMAGE in $IMAGES; do - SAFE_IMAGE_NAME=$(echo $IMAGE | sed 's/[:\/]/_/g') - trivy image --severity CRITICAL,HIGH --format table --output "reports/${SAFE_IMAGE_NAME}.txt" $IMAGE - done - - - name: Combine reports into one - run: | - echo "Docker Image Vulnerability Report - $(date)" > reports/final_report.txt - echo "=========================================" >> reports/final_report.txt - for FILE in reports/*.txt; do - [ "$FILE" != "reports/final_report.txt" ] && cat "$FILE" >> reports/final_report.txt && echo -e "\n\n" >> reports/final_report.txt - done - - - name: Send report via email - uses: dawidd6/action-send-mail@v3 - with: - server_address: smtp.example.com - server_port: 587 - username: ${{ secrets.EMAIL_USERNAME }} - password: ${{ secrets.EMAIL_PASSWORD }} - subject: "DockerHub Vulnerability Report - $(date +'%Y-%m-%d')" - to: brett@kowh.ai - from: GitHub Actions - content_type: text/plain - body: | - Please find the attached daily vulnerability report for DockerHub images. - attachments: reports/final_report.txt diff --git a/.github/workflows/image-vuln-scan.yml b/.github/workflows/image-vuln-scan.yml index 6acee74..15b5257 100644 --- a/.github/workflows/image-vuln-scan.yml +++ b/.github/workflows/image-vuln-scan.yml @@ -1,50 +1,53 @@ -name: Daily DockerHub Vulnerability Scan +name: CKAN Docker Image Scan with Snyk on: schedule: - - cron: '30 9 * * *' # Every day at 9:30 AM UTC - workflow_dispatch: # Allow manual trigger + # Run weekly on Monday at 9:00 AM + - cron: '0 9 * * 1' + # Allow manual trigger + workflow_dispatch: jobs: - scan-images: + snyk-docker-scan: runs-on: ubuntu-latest + strategy: + matrix: + docker-image: + - 'ckan/ckan-base:master' + - 'ckan/ckan-base:2.11' + - 'ckan/ckan-dev:2.11' + - 'ckan/ckan-base:2.10-py3.10' + - 'ckan/ckan-dev:2.10-py3.10' + - 'ckan/ckan-base-datapusher:0.0.21' + # Don't fail the entire workflow if one image scan fails + fail-fast: false + steps: - name: Checkout repository uses: actions/checkout@v3 - - name: Set up Snyk - uses: snyk/actions/setup@v2 - with: - version: 'latest' + - name: Set up Snyk CLI + uses: snyk/actions/setup@master - - name: Authenticate Snyk + - name: Log in to Snyk run: snyk auth ${{ secrets.SNYK_TOKEN }} - - - name: Create report directory - run: mkdir -p reports - - - name: Define DockerHub images to scan - id: image-list - run: | - echo "IMAGES=ckan/ckan-base:2.11 ckan/ckan-dev:2.11" >> $GITHUB_ENV - - - name: Scan DockerHub images with Snyk + + # Scan the Docker image + - name: Snyk scan Docker image run: | - for IMAGE in $IMAGES; do - SAFE_IMAGE_NAME=$(echo $IMAGE | sed 's/[:\/]/_/g') - snyk container test $IMAGE --json > "reports/${SAFE_IMAGE_NAME}.json" - done - - - name: Combine reports into one + snyk container test ${{ matrix.docker-image }} \ + --severity-threshold=high \ + --org=${{ secrets.SNYK_ORG }} \ + --project-name=${{ matrix.docker-image }} \ + --report + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Monitor Docker image run: | - echo "Docker Image Vulnerability Report - $(date)" > reports/final_report.txt - echo "=========================================" >> reports/final_report.txt - for FILE in reports/*.json; do - [ "$FILE" != "reports/final_report.txt" ] && cat "$FILE" >> reports/final_report.txt && echo -e "\n\n" >> reports/final_report.txt - done - - - name: Upload report as artifact - uses: actions/upload-artifact@v3 - with: - name: docker-vulnerability-report - path: reports/ + snyk container monitor ${{ matrix.docker-image }} \ + --org=${{ secrets.SNYK_ORG }} \ + --project-name=${{ matrix.docker-image }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}