modules-actions/cve_scan/action.yml at main · deckhouse/modules-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: 'Trivy CVE Scan'
description: 'Build Deckhouse module'
inputs:
  prod_registry:
    description: 'Prod registry host (e.g., registry.deckhouse.io)'
    required: true
  prod_registry_user:
    description: 'Username for prod registry authentication'
    required: true
  prod_registry_password:
    description: 'Password for prod registry authentication'
    required: true
  dev_registry:
    description: 'Dev-registry host (e.g., dev-registry.deckhouse.io)'
    required: true
  dev_registry_user:
    description: 'Username for dev-registry authentication'
    required: true
  dev_registry_password:
    description: 'Password for dev-registry authentication'
    required: true
  codeowners_repo_token:
    description: 'Fox token for downloading CODEOWNERS configmap'
    required: true
  deckhouse_private_repo:
    description: 'Deckhouse private repository'
    required: true
  dd_url:
    description: 'DefectDojo API URL'
    required: true
  dd_token:
    description: 'DefectDojo API token'
    required: true
  source_tag:
    description: 'Tag to scan (e.g., main, v1.74.3, pr123, release-1.73)'
    required: true
  case:
    description: 'Scan type: deckhouse | external_modules | CSE'
    required: true
  cve_test_repo_git:
    description: 'cve_scan repo'
    required: true
  cve_ssh_private_key:
    description: 'cve_scan repo key'
    required: true
  external_module_name:
    description: 'External module name (required when case=External Modules)'
    required: false
    default: ''
  scan_several_latest_releases:
    description: 'Scan multiple latest releases (True/False)'
    required: false
    default: 'False'
  latest_releases_amount:
    description: 'Number of latest releases to scan when scan_several_latest_releases=true'
    required: false
    default: '3'
  module_prod_registry_custom_path:
    description: 'Custom path for external modules in production registry'
    required: false
    default: 'deckhouse/fe/modules'
  module_dev_registry_custom_path:
    description: 'Custom path for external modules in development registry'
    required: false
    default: 'sys/deckhouse-oss/modules'
  release_in_dev:
    description: 'If true, release tag will be searched in dev registry instead of prod'
    required: false
    default: 'False'
  digest_from_werf:
    description: 'Path to werf images tags file (for CSE external modules)'
    required: false
    default: 'images_tags_werf'
  scan_users:
    description: 'Enable user validation scan for CSE (True/False)'
    required: false
    default: 'False'
  workdir:
    description: 'Working directory for temporary files'
    required: false
    default: 'cve-scan'
  trivy_reports_log_output:
    description: 'Trivy log output level (0=off, 1=CVE only, 2=CVE+License)'
    required: false
    default: '1'
  role_name:
    description: 'Repository name'
    required: false

runs:
  using: "composite"
  steps:
    - name: Import secrets
      id: secrets
      uses: hashicorp/vault-action@v2
      with:
        url: https://seguro.flant.com
        path: github
        role: "${{ inputs.role_name }}"
        method: jwt
        jwtGithubAudience: github-access-aud
        secrets: |
          projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_TOKEN | DD_TOKEN ;
          projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_URL | DD_URL ;
          projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_SSH_PRIVATE_KEY | CVE_TEST_SSH_PRIVATE_KEY ;
          projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_REPO_GIT | CVE_TEST_REPO_GIT ;
          projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_PRIVATE_REPO | DECKHOUSE_PRIVATE_REPO ;
          projects/data/b050f3bd-733f-4746-9640-9df80d484074/CODEOWNERS_REPO_TOKEN CODEOWNERS_REPO_TOKEN | CODEOWNERS_REPO_TOKEN ;

    - name: Start ssh-agent
      uses: webfactory/ssh-agent@v0.9.0
      with:
        ssh-private-key: ${{ steps.secrets.outputs.CVE_TEST_SSH_PRIVATE_KEY }}

    - name: Add host to known_hosts
      shell: bash
      run: |
        HOST=$(echo "${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }}" | sed -E 's/.*@([^:]+).*/\1/')
        mkdir -p ~/.ssh
        ssh-keyscan -H "$HOST" >> ~/.ssh/known_hosts 2>/dev/null

    - name: Clone repository
      shell: bash
      run: |
        rm -rf /tmp/cve-scripts
        git clone --depth 1 ${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }} /tmp/cve-scripts
        cp /tmp/cve-scripts/* ./

    - name: Run Trivy CVE Scan
      shell: bash
      env:
        TRIVY_BIN_VERSION: "v0.67.2"
        TRIVY_REPO_ID: "2181"
        TRIVY_PROD_REGISTRY: "registry.deckhouse.io"
        TRIVY_DEV_REGISTRY: "dev-registry.deckhouse.io"
        TRIVY_DB_URL: "${{ inputs.prod_registry }}/deckhouse/ee/security/trivy-db:2"
        TRIVY_JAVA_DB_URL: "${{ inputs.prod_registry }}/deckhouse/ee/security/trivy-java-db:1"
        TRIVY_POLICY_URL: "${{ inputs.prod_registry }}/deckhouse/ee/security/trivy-bdu:1"
        TRIVY_REPORTS_LOG_OUTPUT: "${{ inputs.trivy_reports_log_output }}"
        PROD_REGISTRY: "${{ inputs.prod_registry }}"
        PROD_REGISTRY_USER: "${{ inputs.prod_registry_user }}"
        PROD_REGISTRY_PASSWORD: "${{ inputs.prod_registry_password }}"
        DEV_REGISTRY: "${{ inputs.dev_registry }}"
        DEV_REGISTRY_USER: "${{ inputs.dev_registry_user }}"
        DEV_REGISTRY_PASSWORD: "${{ inputs.dev_registry_password }}"
        SOURCE_TAG: "${{ inputs.source_tag }}"
        CASE: "${{ inputs.case }}"
        EXTERNAL_MODULE_NAME: "${{ inputs.external_module_name }}"
        RELEASE_IN_DEV: "${{ inputs.release_in_dev }}"
        SCAN_USERS: "${{ inputs.scan_users }}"
        SCAN_SEVERAL_LATEST_RELEASES: "${{ inputs.scan_several_latest_releases }}"
        LATEST_RELEASES_AMOUNT: "${{ inputs.latest_releases_amount }}"
        MODULE_PROD_REGISTRY_CUSTOM_PATH: "${{ inputs.module_prod_registry_custom_path }}"
        MODULE_DEV_REGISTRY_CUSTOM_PATH: "${{ inputs.module_dev_registry_custom_path }}"
        DIGEST_FROM_WERF: "${{ inputs.digest_from_werf }}"
        DD_URL: "${{ steps.secrets.outputs.DD_URL }}"
        DD_TOKEN: "${{ steps.secrets.outputs.DD_TOKEN }}"
        CODEOWNERS_REPO_TOKEN: "${{ steps.secrets.outputs.CODEOWNERS_REPO_TOKEN }}"
        DECKHOUSE_PRIVATE_REPO: "${{ steps.secrets.outputs.DECKHOUSE_PRIVATE_REPO }}"
        CONFIGMAP_PROJECT_ID: "4352"
        WORKDIR: "${{ github.workspace }}/${{ inputs.workdir }}"
      run: |
        ./cve_scan.sh