diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 200e3f2..5139164 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -248,30 +248,43 @@ jobs: run: docker build ./python-service -t vaccichain-python:ci - name: Run Trivy scan on backend - uses: aquasecurity/trivy-action@master + id: scan-backend + uses: aquasecurity/trivy-action@v1 with: image-ref: vaccichain-backend:ci format: sarif output: backend-trivy.sarif severity: HIGH,CRITICAL + ignorefile: .trivyignore + exit-code: 1 + continue-on-error: true - name: Run Trivy scan on frontend - uses: aquasecurity/trivy-action@master + id: scan-frontend + uses: aquasecurity/trivy-action@v1 with: image-ref: vaccichain-frontend:ci format: sarif output: frontend-trivy.sarif severity: HIGH,CRITICAL + ignorefile: .trivyignore + exit-code: 1 + continue-on-error: true - name: Run Trivy scan on python-service - uses: aquasecurity/trivy-action@master + id: scan-python + uses: aquasecurity/trivy-action@v1 with: image-ref: vaccichain-python:ci format: sarif output: python-trivy.sarif severity: HIGH,CRITICAL + ignorefile: .trivyignore + exit-code: 1 + continue-on-error: true - name: Upload Trivy results to GitHub Security + if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: | @@ -280,6 +293,7 @@ jobs: python-trivy.sarif - name: Upload scan artifacts + if: always() uses: actions/upload-artifact@v4 with: name: trivy-scan-results @@ -289,6 +303,14 @@ jobs: python-trivy.sarif retention-days: 30 + - name: Fail on HIGH/CRITICAL vulnerabilities + if: always() + run: | + if [[ "${{ steps.scan-backend.outcome }}" == "failure" || "${{ steps.scan-frontend.outcome }}" == "failure" || "${{ steps.scan-python.outcome }}" == "failure" ]]; then + echo "One or more container images contain HIGH or CRITICAL vulnerabilities." + exit 1 + fi + container-scan-scheduled: name: Weekly container vulnerability scan runs-on: ubuntu-latest @@ -306,27 +328,43 @@ jobs: run: docker build ./python-service -t vaccichain-python:prod - name: Run Trivy scan on backend - uses: aquasecurity/trivy-action@master + id: scan-scheduled-backend + uses: aquasecurity/trivy-action@v1 with: image-ref: vaccichain-backend:prod format: table output: backend-scan.txt + ignorefile: .trivyignore + severity: HIGH,CRITICAL + exit-code: 1 + continue-on-error: true - name: Run Trivy scan on frontend - uses: aquasecurity/trivy-action@master + id: scan-scheduled-frontend + uses: aquasecurity/trivy-action@v1 with: image-ref: vaccichain-frontend:prod format: table output: frontend-scan.txt + ignorefile: .trivyignore + severity: HIGH,CRITICAL + exit-code: 1 + continue-on-error: true - name: Run Trivy scan on python-service - uses: aquasecurity/trivy-action@master + id: scan-scheduled-python + uses: aquasecurity/trivy-action@v1 with: image-ref: vaccichain-python:prod format: table output: python-scan.txt + ignorefile: .trivyignore + severity: HIGH,CRITICAL + exit-code: 1 + continue-on-error: true - name: Upload scan results + if: always() uses: actions/upload-artifact@v4 with: name: weekly-trivy-scans @@ -335,3 +373,11 @@ jobs: frontend-scan.txt python-scan.txt retention-days: 90 + + - name: Fail on HIGH/CRITICAL vulnerabilities + if: always() + run: | + if [[ "${{ steps.scan-scheduled-backend.outcome }}" == "failure" || "${{ steps.scan-scheduled-frontend.outcome }}" == "failure" || "${{ steps.scan-scheduled-python.outcome }}" == "failure" ]]; then + echo "One or more scheduled container images contain HIGH or CRITICAL vulnerabilities." + exit 1 + fi diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..4feb293 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,9 @@ +# Trivy ignore file for VacciChain Docker image scans. +# Add any CVEs here that are confirmed false positives or not applicable. +# Example: +# CVE-2024-12345 + +# Use a comment line for notes: +# - The following entries were assessed and accepted as non-actionable for this repo. + +# TODO: add suppressions only after review.