Try allowlist for grype and trivy

Signed-off-by: Victor Chang <[email protected]>

.github/workflows/build.yml

@@ -88,34 +88,39 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           file: ${{ matrix.dockerfile }}
 
-      - uses: hands-lab/dockle-action@v1
+      - name: Dockle Container Scanner
+        uses: erzz/dockle-action@v1
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.ref, 'refs/heads/develop') }}
         with:
           image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          report-format: sarif
+          report-name: dockle-report
+          failure-threshold: fatal
+
+      - name: Upload Dockle SARIF Report
+        uses: github/codeql-action/[email protected]
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.ref, 'refs/heads/develop') }}
+        with:
+          sarif_file: super-report.sarif
 
       - name: Trivy Vulnerability Scanner
         uses: aquasecurity/trivy-action@master
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.ref, 'refs/heads/develop') }}
         with:
           image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload Trivy SARIF Report
         uses: github/codeql-action/upload-sarif@v2
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.ref, 'refs/heads/develop') }}
         with:
           sarif_file: 'trivy-results.sarif'
 
-      - name: Scan Image with Azure Container Scan
-        uses: Azure/[email protected]
-        if: always()
-        env:
-          TRIVY_TIMEOUT_SEC: 360s
-        with:
-          image-name: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
-
       - name: Anchore Container Scan
         id: anchore-scan
         uses: anchore/[email protected]
-        if: always()
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.ref, 'refs/heads/develop') }}
         with:
           image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           fail-build: true
@@ -124,7 +129,7 @@ jobs:
 
       - name: Upload Anchore Scan SARIF Report
         uses: github/codeql-action/upload-sarif@v2
-        if: always()
+        if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.ref, 'refs/heads/develop') }}
         with:
           sarif_file: ${{ steps.anchore-scan.outputs.sarif }}
           token: ${{ secrets.GITHUB_TOKEN }}

.grype.yaml

@@ -12,11 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-ignore:
-  - vulnerability: CVE-2022-37434 # medium https://ubuntu.com/security/CVE-2022-37434
-  - vulnerability: CVE-2015-5237 # low https://ubuntu.com/security/CVE-2015-5237
-  - vulnerability: CVE-2016-20013 # negligible https://ubuntu.com/security/CVE-2016-20013
-  - vulnerability: CVE-2017-11164 # negligible https://ubuntu.com/security/CVE-2017-11164
-  - vulnerability: CVE-2020-16156 # medium https://ubuntu.com/security/CVE-2020-16156
-  - vulnerability: CVE-2022-29458 # negligible https://ubuntu.com/security/CVE-2022-29458
+# ignore:
+#   - vulnerability: CVE-2022-37434 # medium https://ubuntu.com/security/CVE-2022-37434
+#   - vulnerability: CVE-2015-5237 # low https://ubuntu.com/security/CVE-2015-5237
+#   - vulnerability: CVE-2016-20013 # negligible https://ubuntu.com/security/CVE-2016-20013
+#   - vulnerability: CVE-2017-11164 # negligible https://ubuntu.com/security/CVE-2017-11164
+#   - vulnerability: CVE-2020-16156 # medium https://ubuntu.com/security/CVE-2020-16156
+#   - vulnerability: CVE-2022-29458 # negligible https://ubuntu.com/security/CVE-2022-29458
 

.trivyignore

@@ -0,0 +1,16 @@
+# Copyright 2022 MONAI Consortium
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# CVE-2022-27664
+# CVE-2022-32149