Skip to content

Commit

Permalink
Add CVE scan GitHub workflow that is triggered on pull requests (clou…
Browse files Browse the repository at this point in the history
…dfoundry#2977)

* Add a GitHub workflow to scan for CVEs
* Run on each commit, PR, and on-demand
* Remove CVE scan workflow trigger on commits
  • Loading branch information
weresch committed Jun 28, 2024
1 parent a52de05 commit 740f68d
Show file tree
Hide file tree
Showing 2 changed files with 79 additions and 0 deletions.
47 changes: 47 additions & 0 deletions .github/scripts/format-cve-scan-results.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#!/bin/bash
set -o errexit -o nounset -o pipefail
[[ "${TRACE:-0}" == "1" ]] && set -o xtrace

##
# Formats CVE results in a markdown table to display a summary in a GitHub Action UI
##

# Check if the number of arguments is correct
if [ $# -ne 1 ]; then
echo "Usage: $0 <filename of grype json results>"
exit 1
fi

_results_filename="${1}"

# Check if the file exists
if [ ! -f "${_results_filename}" ]; then
echo "Error: File '${_results_filename}' does not exist"
exit 1
fi

_number_of_cves_found=$(jq -r '.matches | length' "${_results_filename}")

echo -e "# CVE Scan Results\n"

if [ ${_number_of_cves_found} -eq 0 ]; then
echo -e "## Success! No vulnerabilities found.\n"
else
echo -e "## Failure: ${_number_of_cves_found} vulnerabilities found.\n"

_table_headers='"NAME","INSTALLED","FIXED-IN","TYPE","VULNERABILITY","SEVERITY"'
_table_underlines='"----","---------","--------","----","-------------","--------"'

jq -r "[${_table_headers}],
[${_table_underlines}],
(.matches[] | [
.artifact.name,
.artifact.version,
.vulnerability.fix.versions[0],
.artifact.type,
.vulnerability.id,
.vulnerability.severity
]) | @tsv" "${_results_filename}" \
| sed 's/|/\\|/g' \
| sed 's/\t/ | /g'
fi
32 changes: 32 additions & 0 deletions .github/workflows/check-cves.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: "Check CVEs"

on:
workflow_dispatch:
pull_request:

jobs:
check-cves:
runs-on: ubuntu-latest

steps:
- name: Check out codebase
uses: actions/checkout@v4

- name: Scan current project
uses: anchore/scan-action@v3
with:
path: "."
add-cpes-if-none: true
by-cve: true
output-format: json

- name: Print scan results
run: .github/scripts/format-cve-scan-results.sh results.json > $GITHUB_STEP_SUMMARY
if: always()

- name: Archive CVE scan results
uses: actions/upload-artifact@v4
if: always()
with:
name: cve-scan-results-${{ github.sha }}-${{ github.run_id }}-${{ github.run_number }}
path: results.json

0 comments on commit 740f68d

Please sign in to comment.