name: Container Security on: workflow_call: # Called by release-gate.yml workflow_dispatch: permissions: {} # Minimal top-level for OSSF Scorecard Token-Permissions jobs: trivy-scan: runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read security-events: write actions: read steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Free up disk space run: | # Remove unnecessary files to free up disk space for Docker image scanning sudo rm -rf /usr/share/dotnet sudo rm -rf /usr/local/lib/android sudo rm -rf /opt/ghc sudo rm -rf /opt/hostedtoolcache/CodeQL sudo docker image prune -af df -h - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Build Docker image for scanning uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . push: false load: true tags: local-deep-research:scan cache-from: type=gha,scope=trivy-scan cache-to: type=gha,mode=max,scope=trivy-scan - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: local-deep-research:scan format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH,MEDIUM' ignore-unfixed: true scan-type: 'image' trivyignores: '.trivyignore' version: 'v0.69.2' - name: Check if SARIF file exists id: check-sarif if: always() run: | if [ -f trivy-results.sarif ]; then echo "exists=true" >> "$GITHUB_OUTPUT" else echo "::error::Trivy did not produce trivy-results.sarif — scan needs to be rerun" exit 1 fi - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 if: always() && steps.check-sarif.outputs.exists == 'true' with: sarif_file: 'trivy-results.sarif' category: container-security - name: Upload Trivy scan results as artifact uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() && steps.check-sarif.outputs.exists == 'true' with: name: trivy-scan-results path: trivy-results.sarif retention-days: 7 # Reduced for security - name: Display Trivy summary if: always() run: | { echo "## Container Security Scan Summary" echo "" if [ -f trivy-results.sarif ]; then echo "✅ Trivy scan completed - Results available in Security tab" echo "📊 Scan results uploaded as artifact" else echo "❌ Trivy scan failed" fi } >> "$GITHUB_STEP_SUMMARY" # Additional job for Dockerfile security analysis dockerfile-scan: runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read security-events: write steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run Trivy config scan on Dockerfile uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: scan-type: 'config' scan-ref: '.' format: 'sarif' output: 'trivy-config-results.sarif' hide-progress: true version: 'v0.69.2' - name: Check if config SARIF file exists id: check-config-sarif if: always() run: | if [ -f trivy-config-results.sarif ]; then echo "exists=true" >> "$GITHUB_OUTPUT" else echo "::error::Trivy did not produce trivy-config-results.sarif — scan needs to be rerun" exit 1 fi - name: Upload Trivy config scan results uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() && steps.check-config-sarif.outputs.exists == 'true' with: name: trivy-config-results path: trivy-config-results.sarif retention-days: 7 # Reduced for security - name: Display config scan summary if: always() run: | { echo "## Docker Configuration Security Analysis" echo "" if [ -f trivy-config-results.sarif ]; then echo "✅ Docker configuration analysis completed" echo "📋 Check for Docker best practices and security misconfigurations" else echo "❌ Docker configuration scan failed" fi } >> "$GITHUB_STEP_SUMMARY"