Octovy is a GitHub App that scans your repository's code for potentially vulnerable dependencies. It utilizes trivy to detect software vulnerabilities. When triggered by events like push
and pull_request
from GitHub, Octovy scans the repository for dependency vulnerabilities and performs the following actions:
- Adds a comment to the pull request, summarizing the vulnerabilities found
- Inserts the scan results into BigQuery
Octovy adds a comment to the pull request when it detects new vulnerabilities between the head of the PR and the merge destination.
![comment example](https://private-user-images.githubusercontent.com/605953/337860086-052a6362-c284-4857-921c-5c3c2f32065b.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTc4OTkzNDUsIm5iZiI6MTcxNzg5OTA0NSwicGF0aCI6Ii82MDU5NTMvMzM3ODYwMDg2LTA1MmE2MzYyLWMyODQtNDg1Ny05MjFjLTVjM2MyZjMyMDY1Yi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjA5JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYwOVQwMjEwNDVaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wNDRlODkzY2IxNDc1MWQ3NTFiNWY2MmZlMGQ5OTBlMzQzMmMwMTZiZmU1OTBiZmNjYzkzNWNjYzY2NDUzMWY0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.044tJByW1stDogIPUiDUBWFXhVOG1yqWwVbrY14UAz4)
Start by creating a GitHub App here. You can use any name and description you like. However, ensure you set the following configurations:
-
General
- Webhook URL:
https://<your domain>/webhook/github
- Webhook secret: A string of your choosing (e.g.
mysecret_XOIJPOIFEA
)
- Webhook URL:
-
Permissions & events
- Repository Permissions
- Checks: Set to Read & Write
- Contents: Set to Read-only
- Metadata: Set to Read-only
- Pull Requests: Set to Read & Write
- Subscribe to events
- Pull request
- Push
- Repository Permissions
Once you have completed the setup, make sure to take note of the following information from the General section for future reference:
- App ID (e.g.
123456
) - Private Key: Click
Generate a private key
and download the key file (e.g.your-app-name.2023-08-14.private-key.pem
)
- Cloud Storage: Create a Cloud Storage bucket dedicated to storing the scan results exclusively for Octovy's use.
- BigQuery (Optional): Create a BigQuery dataset and table for storing the scan results. Octovy will automatically update the schema. The default table name should be
scans
.
The recommended method of deploying Octovy is via a container image, available at ghcr.io/m-mizutani/octovy
. This image is built using GitHub Actions and published to the GitHub Container Registry.
To run Octovy, set the following environment variables:
OCTOVY_ADDR
: The address to bind the server to (e.g.:8080
)OCTOVY_GITHUB_APP_ID
: The GitHub App IDOCTOVY_GITHUB_APP_PRIVATE_KEY
: The path to the private key fileOCTOVY_GITHUB_APP_SECRET
: The secret string used to verify the webhook request from GitHubOCTOVY_CLOUD_STORAGE_BUCKET
: The name of the Cloud Storage bucket
OCTOVY_TRIVY_PATH
: The path to the trivy binary. If you uses the our container image, you don't need to set this variable.OCTOVY_CLOUD_STORAGE_PREFIX
: The prefix for the Cloud Storage objectOCTOVY_BIGQUERY_PROJECT_ID
: The name of the BigQuery datasetOCTOVY_BIGQUERY_DATASET_ID
: The name of the BigQuery tableOCTOVY_BIGQUERY_TABLE_ID
: The name of the BigQuery tableOCTOVY_BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT
: The service account to impersonate when accessing BigQueryOCTOVY_SENTRY_DSN
: The DSN for SentryOCTOVY_SENTRY_ENV
: The environment for Sentry
Octovy is licensed under the Apache License 2.0. Copyright 2023 Masayoshi Mizutani mizutani@hey.com