Add GitHub Actions workflows for Anchore Grype, Trivy, and Dependency Review scans

CalinL · CalinL · commit 70e2aad85392 · 2025-04-21T10:04:29.000-04:00
diff --git a/.github/workflows/CIS-Anchore-Grype.yml b/.github/workflows/CIS-Anchore-Grype.yml
@@ -0,0 +1,52 @@
+# https://github.com/anchore/grype
+# https://github.com/anchore/scan-action
+
+name: Anchore Grype Vulnerability Scan (Container Image Scanning)
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: 0 1 * * 0
+
+env:
+  fail-build: false # Set to true to fail the build if vulnerabilities are found
+  imageName: "webapp01"
+  tag: ${{ github.sha }}
+  
+jobs:
+  anchore-grype-scan:
+    name: Anchore Grype Vulnerability Scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build an image from Dockerfile
+        uses: docker/build-push-action@v4
+        with:
+          tags: "${{ env.imageName }}:${{ env.tag }}"
+          push: false
+          load: true
+
+      - name: Run the Anchore Grype scan action
+        uses: anchore/scan-action@v6
+        id: scan
+        with:
+          image: "${{ env.imageName }}:${{ env.tag }}"
+          fail-build: ${{ env.fail-build }}
+          severity-cutoff: critical
+      
+      - name: Upload Anchore vulnerability report to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/CIS-Trivy-AquaSecurity.yml b/.github/workflows/CIS-Trivy-AquaSecurity.yml
@@ -0,0 +1,49 @@
+# https://trivy.dev/latest/
+# https://github.com/aquasecurity/trivy
+# https://github.com/aquasecurity/trivy-action
+
+name: Trivy Container Image Scanning
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: 0 1 * * 0
+
+env:
+  imageName: "webapp01"
+  tag: ${{ github.sha }}    
+
+jobs:
+  trivy:
+    name: Trivy vulnerability scanner
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build ./src/webapp01 --file ./src/webapp01/Dockerfile --tag ${{ env.imageName }}:${{ env.tag }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: "${{ env.imageName }}:${{ env.tag }}"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/SCA-GitHubAdvancedSecurity-DependencyReview.yml b/.github/workflows/SCA-GitHubAdvancedSecurity-DependencyReview.yml
@@ -0,0 +1,28 @@
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+
+name: 'SCA - Dependency Review'
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+  # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
+        with:
+          comment-summary-in-pr: always
+          fail-on-severity: 'moderate'
+          allow-licenses: MIT, Apache-2.0
+        
