-
Notifications
You must be signed in to change notification settings - Fork 130
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Fixed copa failing to work in dev docker image build workflow
- Loading branch information
1 parent
158964b
commit 1330aaa
Showing
1 changed file
with
20 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -28,43 +28,33 @@ jobs: | |
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| - name: Pull runtime os image # to patch vulnerabilities | ||
| if: matrix.os == 'ubuntu-latest' | ||
| run: docker pull oraclelinux:9-slim | ||
| - name: Build latest version of Copa # to support Oracle Linux yum packages | ||
| if: matrix.os == 'ubuntu-latest' | ||
| run: | | ||
| git clone https://github.com/project-copacetic/copacetic | ||
| cd copacetic | ||
| make | ||
| sudo mv dist/linux_amd64/release/copa /usr/local/bin/ | ||
| - name: Run Copa to patch vulnerabilities | ||
| if: matrix.os == 'ubuntu-latest' | ||
| run: | | ||
| docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:latest | ||
| copa patch -i oraclelinux:9-slim -t 9-slim --addr docker-container://buildkitd --ignore-errors | ||
| docker stop buildkitd | ||
| - name: Build Docker image | ||
| run: | | ||
| docker compose build base | ||
| docker compose build runner | ||
| docker compose build ${{ matrix.image_name_suffix }} | ||
| - name: Run Trivy security scan on original image | ||
| uses: aquasecurity/[email protected] | ||
| continue-on-error: true | ||
| with: | ||
| image-ref: drifty-${{ matrix.image_name_suffix }} | ||
| format: 'json' | ||
| exit-code: 1 | ||
| vuln-type: os | ||
| ignore-unfixed: true | ||
| output: 'report.json' | ||
| hide-progress: false | ||
| scanners: vuln | ||
| - name: Check OS vulnerability count | ||
| id: vuln_count | ||
| run: | | ||
| report_file="report.json" | ||
| vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file") | ||
| echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT | ||
| # copa action will only run if there are vulnerabilities | ||
| - name: Run Copa action to patch OS vulnerabilities | ||
| if: steps.vuln_count.outputs.vuln_count != '0' | ||
| uses: project-copacetic/[email protected] | ||
| with: | ||
| image: drifty-${{ matrix.image_name_suffix }} | ||
| image-report: "report.json" | ||
| patched-tag: "patched" | ||
| timeout: '10m' | ||
| - name: Run Trivy security scan on patched image | ||
| - name: Run Trivy security scan | ||
| if: matrix.os == 'ubuntu-latest' | ||
| uses: aquasecurity/[email protected] | ||
| continue-on-error: true | ||
| with: | ||
| image-ref: "drifty-${{ matrix.image_name_suffix }}:patched" | ||
| image-ref: "drifty-${{ matrix.image_name_suffix }}" | ||
| format: 'sarif' | ||
| exit-code: 1 | ||
| vuln-type: os,library | ||
|
|
@@ -73,7 +63,7 @@ jobs: | |
| hide-progress: false | ||
| scanners: vuln,secret,misconfig | ||
| - name: Upload Trivy security scan results | ||
| if: always() | ||
| if: always() && matrix.os == 'ubuntu-latest' | ||
| uses: github/codeql-action/upload-sarif@main | ||
| with: | ||
| sarif_file: trivy-report.sarif | ||