First attempt using intel/cve-bin-tool to scan for CVEs during build. #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CVE scanner | |
on: | |
# You can customize this according to your need. | |
- push | |
- pull_request | |
jobs: | |
build_and_scan: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Install State Tool | |
uses: ActiveState/setup-state-tool@v1 | |
- name: Install Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: 1.22.x | |
# Get date utility for caching database. | |
- name: Get Date | |
id: get-date | |
run: | | |
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT | |
shell: bash | |
# Let's first download dependencies for this action. | |
- uses: actions/checkout@v2 | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.x' | |
# This second step is unnecessary but highly recommended because | |
# It will cache database and saves time redownloading it if database isn't stale. | |
- name: get cached python packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.cache/pip | |
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | |
restore-keys: | | |
${{ runner.os }}-pip- | |
- name: get cached database | |
uses: actions/cache@v3 | |
with: | |
path: cache | |
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }} | |
- name: Install CVE Binary Tool | |
# We are using latest development version of CVE Binary Tool | |
# because current PyPI version don't have features like config file support, | |
# generating HTML report etc. | |
run: | | |
[[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool | |
pip install git+https://github.com/intel/cve-bin-tool@main | |
# In case you prefer current PyPI version, you need to hard code CLI options | |
# for cve-bin-tool in the action itself and have to use CSV or JSON as output format. | |
# pip install cve-bin-tool | |
- name: build package | |
run: | | |
state run preprocess | |
state run build | |
- name: Scan built package | |
run: cve-bin-tool build -f html -o cve-bin-tool-report.html -x | |
continue-on-error: true | |
# You need to set continue_on_error: true because CVE Binary Tool sets number of cves | |
# as exit code. And GitHub terminates action when process produces | |
# nonzero exit code status. | |
- name: Upload report as an artifact | |
# This will upload generated report as an GitHub artifact which you can download later. | |
uses: actions/upload-artifact@v2 | |
with: | |
name: cve_report | |
path: 'cve-bin-tool-report.html' |