Merge branch 'master' into 217-drifty-update-feature

SaptarshiSarkar12 · Sep 5, 2024 · 7eed5c9 · 7eed5c9
2 parents f6dbbca + 7dadc0b
commit 7eed5c9
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 4 deletions.
diff --git a/.github/workflows/dev-docker-build.yml b/.github/workflows/dev-docker-build.yml
@@ -28,16 +28,33 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+      - name: Pull runtime os image # to patch vulnerabilities
+        if: matrix.os == 'ubuntu-latest'
+        run: docker pull oraclelinux:9-slim
+      - name: Build latest version of Copa # to support Oracle Linux yum packages
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          git clone https://github.com/project-copacetic/copacetic
+          cd copacetic
+          make
+          sudo mv dist/linux_amd64/release/copa /usr/local/bin/
+      - name: Run Copa to patch vulnerabilities
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:latest
+          copa patch -i oraclelinux:9-slim -t 9-slim --addr docker-container://buildkitd --ignore-errors
+          docker stop buildkitd
       - name: Build Docker image
         run: |
           docker compose build base
           docker compose build runner
           docker compose build ${{ matrix.image_name_suffix }}
       - name: Run Trivy security scan
+        if: matrix.os == 'ubuntu-latest'
         uses: aquasecurity/[email protected]
         continue-on-error: true
         with:
-          image-ref: drifty-${{ matrix.image_name_suffix }}
+          image-ref: "drifty-${{ matrix.image_name_suffix }}"
           format: 'sarif'
           exit-code: 1
           vuln-type: os,library
@@ -46,7 +63,7 @@ jobs:
           hide-progress: false
           scanners: vuln,secret,misconfig
       - name: Upload Trivy security scan results
-        if: always()
+        if: always() && matrix.os == 'ubuntu-latest'
         uses: github/codeql-action/upload-sarif@main
         with:
           sarif_file: trivy-report.sarif
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -163,7 +163,19 @@ jobs:
           else
             echo "IMAGE_DESCRIPTION_PREFIX=The" >> $GITHUB_ENV
           fi
-
+      - name: Pull runtime os image # to patch vulnerabilities
+        run: docker pull oraclelinux:9-slim
+      - name: Build latest version of Copa # to support Oracle Linux yum packages
+        run: |
+          git clone https://github.com/project-copacetic/copacetic
+          cd copacetic
+          make
+          sudo mv dist/linux_amd64/release/copa /usr/local/bin/
+      - name: Run Copa to patch vulnerabilities
+        run: |
+          docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:latest
+          copa patch -i oraclelinux:9-slim -t 9-slim --addr docker-container://buildkitd --ignore-errors
+          docker stop buildkitd
       # Build and push Docker image with Buildx (don't push on PR and branches created by Dependabot)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
@@ -183,7 +195,7 @@ jobs:
             annotation-index.org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION_PREFIX }} docker image for Drifty ${{ matrix.docker_context }},\
             annotation-index.org.opencontainers.image.licenses=Apache-2.0"
 
-      - name: Build same image with different tag # cached build, so, will be faster, and it will be used for security scan
+      - name: Build same image with different name # cached build, so, will be faster, and it will be used for security scan
         run: docker build -t ${{ matrix.image_name }} -f Docker/prod/${{ matrix.docker_context }}/Dockerfile build/${{ matrix.docker_context }}
 
       - name: Run Trivy security scan