diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index f0f95075..4d35c945 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -75,6 +75,9 @@ jobs: - name: Scan image with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}" format: "table" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d79ae06..fd655b65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,9 +35,12 @@ jobs: - name: Scan code with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: - scan-type: 'fs' - scan-ref: '.' + scan-type: "fs" + scan-ref: "." exit-code: "1" ignore-unfixed: true severity: "CRITICAL,HIGH,MEDIUM" diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 9f2fc8bb..066d77c4 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -34,40 +34,52 @@ jobs: - name: Create SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: - scan-type: 'fs' - format: 'spdx-json' + scan-type: "fs" + format: "spdx-json" output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.sbom.json" - scan-ref: '.' + scan-ref: "." severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - name: Create docker image SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}" - scan-type: 'image' - format: 'spdx-json' + scan-type: "image" + format: "spdx-json" output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.sbom.json" severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - name: Create security advisory file with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: - scan-type: 'fs' - format: 'json' + scan-type: "fs" + format: "json" output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.advisories.json" - scan-ref: '.' + scan-ref: "." severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - name: Create docker image security advisory file with Trivy uses: aquasecurity/trivy-action@0.33.1 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}" - scan-type: 'image' - format: 'json' + scan-type: "image" + format: "json" output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.advisories.json" severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 00000000..5c7dedd4 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,4 @@ +vulnerabilities: + - id: GHSA-585q-cm62-757j + expired_at: 2026-02-12 + statement: "No fixed version available yet. The Mullvad team intends to fix it in the coming weeks: https://github.com/mullvad/mnl-rs/issues/15" diff --git a/deny.toml b/deny.toml index 93b809d5..6a5b40df 100644 --- a/deny.toml +++ b/deny.toml @@ -69,7 +69,10 @@ feature-depth = 1 #db-urls = ["https://github.com/rustsec/advisory-db"] # A list of advisory IDs to ignore. Note that ignored advisories will still # output a note when they are encountered. -ignore = [{ id = "RUSTSEC-2024-0436", reason = "Unmaintained" }] +ignore = [ + { id = "RUSTSEC-2024-0436", reason = "Unmaintained" }, + { id = "RUSTSEC-2025-0142", reason = "Awaiting upstream patch" }, +] # If this is true, then cargo deny will use the git executable to fetch advisory database. # If this is false, then it uses a built-in git library. # Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support. diff --git a/flake.lock b/flake.lock index 9889879c..e853088d 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761907660, - "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", + "lastModified": 1768127708, + "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", + "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1762137611, - "narHash": "sha256-sTqb10FR/YQCuGbw16qxliX0NFlYg6evSEjN8w+9IYE=", + "lastModified": 1768186348, + "narHash": "sha256-nkpIe3zkpeoFuOl8xBpexulECsHLQ9Ljg1gW3bPCjSI=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "3a0ebe5d2965692f990cb27e62f501ad35e3deeb", + "rev": "af69e497567a5945a64057717bc9b17c8478097e", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 0d06e026..cec27964 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,7 @@ rustToolchain libnftnl libmnl + trivy ]; }; });