From 7dadc0b6be03dbf5f3f1817847215935055fa345 Mon Sep 17 00:00:00 2001 From: Saptarshi Sarkar Date: Thu, 5 Sep 2024 23:16:12 +0530 Subject: [PATCH] feat: added copa to patch all docker image vulnerabilities reported by trivy (#628) * fix: Added Copa to patch docker image vulnerabilities * fix: Fixed copa failing to work in dev docker image build workflow --- .github/workflows/dev-docker-build.yml | 21 +++++++++++++++++++-- .github/workflows/docker-publish.yml | 16 ++++++++++++++-- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dev-docker-build.yml b/.github/workflows/dev-docker-build.yml index ec2e4a38..6587062b 100644 --- a/.github/workflows/dev-docker-build.yml +++ b/.github/workflows/dev-docker-build.yml @@ -28,16 +28,33 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + - name: Pull runtime os image # to patch vulnerabilities + if: matrix.os == 'ubuntu-latest' + run: docker pull oraclelinux:9-slim + - name: Build latest version of Copa # to support Oracle Linux yum packages + if: matrix.os == 'ubuntu-latest' + run: | + git clone https://github.com/project-copacetic/copacetic + cd copacetic + make + sudo mv dist/linux_amd64/release/copa /usr/local/bin/ + - name: Run Copa to patch vulnerabilities + if: matrix.os == 'ubuntu-latest' + run: | + docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:latest + copa patch -i oraclelinux:9-slim -t 9-slim --addr docker-container://buildkitd --ignore-errors + docker stop buildkitd - name: Build Docker image run: | docker compose build base docker compose build runner docker compose build ${{ matrix.image_name_suffix }} - name: Run Trivy security scan + if: matrix.os == 'ubuntu-latest' uses: aquasecurity/trivy-action@0.24.0 continue-on-error: true with: - image-ref: drifty-${{ matrix.image_name_suffix }} + image-ref: "drifty-${{ matrix.image_name_suffix }}" format: 'sarif' exit-code: 1 vuln-type: os,library @@ -46,7 +63,7 @@ jobs: hide-progress: false scanners: vuln,secret,misconfig - name: Upload Trivy security scan results - if: always() + if: always() && matrix.os == 'ubuntu-latest' uses: github/codeql-action/upload-sarif@main with: sarif_file: trivy-report.sarif \ No newline at end of file diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index d5200a7a..72be3697 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -163,7 +163,19 @@ jobs: else echo "IMAGE_DESCRIPTION_PREFIX=The" >> $GITHUB_ENV fi - + - name: Pull runtime os image # to patch vulnerabilities + run: docker pull oraclelinux:9-slim + - name: Build latest version of Copa # to support Oracle Linux yum packages + run: | + git clone https://github.com/project-copacetic/copacetic + cd copacetic + make + sudo mv dist/linux_amd64/release/copa /usr/local/bin/ + - name: Run Copa to patch vulnerabilities + run: | + docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:latest + copa patch -i oraclelinux:9-slim -t 9-slim --addr docker-container://buildkitd --ignore-errors + docker stop buildkitd # Build and push Docker image with Buildx (don't push on PR and branches created by Dependabot) # https://github.com/docker/build-push-action - name: Build and push Docker image @@ -183,7 +195,7 @@ jobs: annotation-index.org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION_PREFIX }} docker image for Drifty ${{ matrix.docker_context }},\ annotation-index.org.opencontainers.image.licenses=Apache-2.0" - - name: Build same image with different tag # cached build, so, will be faster, and it will be used for security scan + - name: Build same image with different name # cached build, so, will be faster, and it will be used for security scan run: docker build -t ${{ matrix.image_name }} -f Docker/prod/${{ matrix.docker_context }}/Dockerfile build/${{ matrix.docker_context }} - name: Run Trivy security scan