From f83bda891823df09fc02f96ce974f8a16ef64d85 Mon Sep 17 00:00:00 2001 From: Simon Johansson Date: Wed, 14 Sep 2022 15:14:59 +0200 Subject: [PATCH 1/5] Create trivy.yml --- .github/workflows/trivy.yml | 47 +++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..bef3e0e --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: build + +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '43 7 * * 0' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From 92d39d74a399417b712246af04cc338bfc40b3d8 Mon Sep 17 00:00:00 2001 From: Simon Johansson Date: Wed, 14 Sep 2022 15:18:21 +0200 Subject: [PATCH 2/5] Trying out trivy scan in Github. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3513529..91b237a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN go build -o /opt/resource/out cmd/out/out.go RUN go build -o /opt/resource/in cmd/in/in.go RUN chmod +x /opt/resource/* -ADD .git/ref /opt/resource/builtWithRef +# ADD .git/ref /opt/resource/builtWithRef FROM golang:alpine AS resource RUN apk add --no-cache bash tzdata ca-certificates jq libc6-compat From 7fc8e573a92fd36a75c1cfab3fa3175cce1acd98 Mon Sep 17 00:00:00 2001 From: Simon Johansson Date: Wed, 14 Sep 2022 15:21:36 +0200 Subject: [PATCH 3/5] Add some bogus bad stuff. --- Dockerfile | 2 ++ password | 1 + 2 files changed, 3 insertions(+) create mode 100644 password diff --git a/Dockerfile b/Dockerfile index 91b237a..263ad36 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,6 +22,8 @@ RUN chmod +x /opt/resource/* # ADD .git/ref /opt/resource/builtWithRef +ADD password /tmp/password + FROM golang:alpine AS resource RUN apk add --no-cache bash tzdata ca-certificates jq libc6-compat ENV TERM xterm-256color diff --git a/password b/password new file mode 100644 index 0000000..8bf21f1 --- /dev/null +++ b/password @@ -0,0 +1 @@ +PASSWORD=askldfjliuulasdflkjP \ No newline at end of file From 59aa1d0a5c9ffeb9e73df59b0e2ad03dc8e381d1 Mon Sep 17 00:00:00 2001 From: Simon Johansson Date: Wed, 14 Sep 2022 15:23:26 +0200 Subject: [PATCH 4/5] Add dependabot --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c969804 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 + +updates: +- package-ecosystem: gomod + directory: / + schedule: + interval: daily +- package-ecosystem: github-actions + directory: / + schedule: + interval: daily From 50b5f29bc68c48af860cf506b8631fdc318b745e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Sep 2022 13:24:15 +0000 Subject: [PATCH 5/5] Bump github.com/google/uuid from 1.1.1 to 1.3.0 Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.1 to 1.3.0. - [Release notes](https://github.com/google/uuid/releases) - [Commits](https://github.com/google/uuid/compare/v1.1.1...v1.3.0) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0d9e641..a358c4c 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/springernature/halfpipe-deploy-resource require ( code.cloudfoundry.org/cli v7.1.0+incompatible github.com/cloudfoundry-community/go-cfclient v0.0.0-20210513143044-f8ee18d06c63 - github.com/google/uuid v1.1.1 + github.com/google/uuid v1.3.0 github.com/gookit/color v1.2.5 github.com/prometheus/client_golang v1.10.0 github.com/prometheus/common v0.18.0 diff --git a/go.sum b/go.sum index 17d7840..73d7527 100644 --- a/go.sum +++ b/go.sum @@ -187,8 +187,8 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gookit/color v1.2.5 h1:s1gzb/fg3HhkSLKyWVUsZcVBUo+R1TwEYTmmxH8gGFg=