chore: add oci scan (#357)

Signed-off-by: Guillaume Belanger <[email protected]>
ellanetworks · Jan 13, 2025 · e29efe2 · e29efe2
1 parent 7e8a1ec
commit e29efe2
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 5 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -3,6 +3,7 @@ name: Main workflow
 permissions:
   contents: read
   packages: write
+  security-events: write
 
 on:
   pull_request:
@@ -24,6 +25,10 @@ jobs:
   rock-build:
     needs: [go-unit-test, go-vet, go-lint]
     uses: ./.github/workflows/rock-build.yaml
+  rock-scan:
+    if: github.ref_name == 'main'
+    needs: [rock-build]
+    uses: ./.github/workflows/rock-scan.yaml
   integration-tests:
     needs: [go-unit-test, go-vet, go-lint, rock-build]
     uses: ./.github/workflows/integration-tests.yaml
@@ -36,8 +41,8 @@ jobs:
     if: github.ref_name == 'main'
     needs: [go-unit-test, go-vet, go-lint]
     uses: ./.github/workflows/snap-build.yaml
-  snap-publish:
-    if: github.ref_name == 'main'
-    needs: [snap-build]
-    uses: ./.github/workflows/snap-publish.yaml
-    secrets: inherit
+  # snap-publish:
+  #   if: github.ref_name == 'main'
+  #   needs: [snap-build]
+  #   uses: ./.github/workflows/snap-publish.yaml
+  #   secrets: inherit
diff --git a/.github/workflows/rock-scan.yaml b/.github/workflows/rock-scan.yaml
@@ -0,0 +1,52 @@
+name: Rock Scan
+
+permissions:
+  contents: read
+  security-events: write
+
+on:
+  workflow_call:
+
+jobs:
+  scan:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install rockcraft
+        run: |
+          sudo snap install rockcraft --classic --channel edge
+
+      - name: Install yq
+        run: |
+          sudo snap install yq
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: rock
+
+      - name: Import
+        run: |
+          image_name="$(yq '.name' rockcraft.yaml)"
+          echo "image_name=${image_name}" >> $GITHUB_ENV
+          version="$(cat version/VERSION)"
+          echo "version=${version}" >> $GITHUB_ENV
+          rock_file=$(ls *.rock | tail -n 1)
+          sudo rockcraft.skopeo \
+            --insecure-policy \
+            copy \
+            oci-archive:"${rock_file}" \
+            docker-daemon:"ghcr.io/ellanetworks/${image_name}:${version}"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        with:
+          image-ref: "ghcr.io/ellanetworks/${{env.image_name}}:${{env.version}}"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"