Skip to content

Commit

Permalink
Upgrade to grype 0.16.0 and add tests #102 (#112)
Browse files Browse the repository at this point in the history
Signed-off-by: Keith Zantow <[email protected]>
  • Loading branch information
kzantow authored Aug 19, 2021
1 parent 6b62906 commit 5fd84ca
Show file tree
Hide file tree
Showing 34 changed files with 1,263 additions and 307 deletions.
45 changes: 39 additions & 6 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,47 @@ on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- uses: actions/checkout@v2
- run: npm ci
- run: npm audit --production
- run: npm test -- --testPathIgnorePatterns action.test.js
- uses: actions/checkout@v2
- run: echo $(uname -a)
- name: Check for npm (so make test works)
run: |
if ! [ -x "$(command -v npm)" ]; then
sudo apt update
sudo apt -y upgrade
sudo apt update
sudo apt -y install curl dirmngr apt-transport-https lsb-release ca-certificates
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
sudo apt -y install nodejs
sudo apt -y install gcc g++ make
fi
- name: Build images
run: |
for distro in alpine centos debian; do
docker build -t localhost:5000/match-coverage/$distro ./tests/fixtures/image-$distro-match-coverage
docker push localhost:5000/match-coverage/$distro:latest
done
- name: Inspect
run: |
docker images -a
for distro in alpine centos debian; do
docker buildx imagetools inspect localhost:5000/match-coverage/$distro:latest
done
- run: npm ci
- run: npm audit --production
- run: npm test

functional:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: make check
- uses: actions/checkout@v2
- run: make check
- uses: actions/upload-artifact@v2
with:
name: functional-test-output
path: tests/functional/output/*
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,13 @@ typings/

# IDE files/dirs
.vscode
.idea

# Exclude python test artifacts
/act
/venv/*
/tests/functional/__pycache__/*

# Action temporary files
results.sarif
vulnerabilities.json
16 changes: 16 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,22 @@ bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./
# prep temp dirs
mkdir -p tests/functional/output

.PHONY: run-docker-registry
run-docker-registry: bootstrap
# start a local registry
docker run -d -p 5000:5000 --name registry registry:2 | echo

.PHONY: test
test: run-docker-registry bootstrap
npm run build
./act -v -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-latest -j test

.PHONY: wipe-docker
wipe-docker:
docker kill $(shell docker ps -a -q) | echo
docker image prune -af
docker container prune -f
docker volume prune -f

%: ## do a local build
scripts/local.sh "$*"
137 changes: 68 additions & 69 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
[![Test Status][test-img]][test]

# GitHub Action for vulnerability Scanning

:zap: _Find threats in files or containers at lightning speed_ :zap:

This is a GitHub Action for invoking the [grype](https://github.com/anchore/grype) scanner and returning the vulnerabilities found,
Expand All @@ -10,29 +11,29 @@ Use this in your workflows to quickly verify files or containers' content after

The action invokes the `grype` command-line tool, with these benefits:

* Runs locally, without sending data outbound - no credentials required!
* Speedy scan operations
* Scans both paths and container images
* Easy failure evaluation depending on vulnerability severity
- Runs locally, without sending data outbound - no credentials required!
- Speedy scan operations
- Scans both paths and container images
- Easy failure evaluation depending on vulnerability severity

The example workflows have lots of usage examples for scanning both containers and directories.

By default, a scan will produce very detailed output on system packages like an RPM or DEB, but also language-based packages. These are some of the supported packages and libraries:

Supported Linux Distributions:

* Alpine
* BusyBox
* CentOS and RedHat
* Debian and Debian-based distros like Ubuntu
- Alpine
- BusyBox
- CentOS and RedHat
- Debian and Debian-based distros like Ubuntu

Supported packages and libraries:

* Ruby Bundles
* Python Wheel, Egg, `requirements.txt`
* JavaScript NPM/Yarn
* Java JAR/EAR/WAR, Jenkins plugins JPI/HPI
* Go modules
- Ruby Bundles
- Python Wheel, Egg, `requirements.txt`
- JavaScript NPM/Yarn
- Java JAR/EAR/WAR, Jenkins plugins JPI/HPI
- Go modules

## Container scanning

Expand Down Expand Up @@ -60,63 +61,62 @@ The simplest workflow for scanning a `localbuild/testimage` container:
To scan a directory, add the following step:
```yaml
- name: Scan current project
uses: anchore/scan-action@v2
with:
path: "."
- name: Scan current project
uses: anchore/scan-action@v2
with:
path: "."
```
The `path` key allows any valid path for the current project. The root of the path (`"."` in this example) is the repository root.

## Failing a build on vulnerability severity

By default, if any vulnerability at `medium` or higher is seen, the build fails. To have the build step fail in cases where there are vulnerabilities with a severity level different than the default, set the `severity-cutoff` field to one of `low`, `high`, or `critical`:

With a different severity level:

```yaml
- name: Scan image
uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: true
severity-cutoff: critical
- name: Scan image
uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: true
severity-cutoff: critical
```

Optionally, change the `fail-build` field to `false` to avoid failing the build regardless of severity:

```yaml
- name: Scan image
uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: false
- name: Scan image
uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: false
```


### Action Inputs

The only required key is `image`; all the other keys are optional. These are all the available keys to configure this action, along with its defaults:

| Input Name | Description | Default Value |
|-----------------|-------------|---------------|
| `image` | The image to scan | N/A |
| `debug` | Verbose logging output | `false` |
| `fail-build` | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `"medium"` and can be set with `severity-cutoff`. | `false` |
| `grype-version` | An optional parameter to specify a specific version of `grype` to use for the scan. Default is the version locked to the scan-action release | `0.1.0` |
| `acs-report-enable` | Optionally, enable the feature that causes a result.sarif report to be generated after successful action execution. This report is compatible with GitHub Automated Code Scanning (ACS), as the artifact to upload for display as a Code Scanning Alert report. | `false` |
| `severity-cutoff` | With ACS reporting enabled, optionally specify the minimum vulnerability severity to trigger an "error" level ACS result. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `"medium"` |
| Input Name | Description | Default Value |
| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `image` | The image to scan | N/A |
| `debug` | Verbose logging output | `false` |
| `fail-build` | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `"medium"` and can be set with `severity-cutoff`. | `false` |
| `grype-version` | An optional parameter to specify a specific version of `grype` to use for the scan. Default is the version locked to the scan-action release | `0.16.0` |
| `acs-report-enable` | Optionally, enable the feature that causes a result.sarif report to be generated after successful action execution. This report is compatible with GitHub Automated Code Scanning (ACS), as the artifact to upload for display as a Code Scanning Alert report. | `false` |
| `severity-cutoff` | With ACS reporting enabled, optionally specify the minimum vulnerability severity to trigger an "error" level ACS result. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `"medium"` |

### Action Outputs

| Output Name | Description | Type |
|-----------------|-------------|----------|
| Output Name | Description | Type |
| --------------- | ------------------------------------------------------------------- | ------ |
| vulnerabilities | Path to a JSON file with the list of vulnerabilities found in image | string |
| sarif | Path to a SARIF report file | string |
| sarif | Path to a SARIF report file | string |

As a result of the action, you'll get a JSON file in the `anchore-reports` directory in the workspace:

* `vulnerabilities.json` - Vulnerabilities found in the image

- `vulnerabilities.json` - Vulnerabilities found in the image

### Example Workflows

Expand All @@ -129,15 +129,15 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build the container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: true
- name: grype scan JSON results
run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done
- uses: actions/checkout@v2
- name: Build the container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: true
- name: grype scan JSON results
run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done
```

Same example as above, but with Automated Code Scanning (ACS) feature enabled - with this example, the action will generate a SARIF report, which can be uploaded and then displayed as a Code Scanning Report in the GitHub UI.
Expand All @@ -151,25 +151,25 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build the Container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: anchore/scan-action@v2
id: scan
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- uses: actions/checkout@v2
- name: Build the Container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: anchore/scan-action@v2
id: scan
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
```
Optionally, you can add a step to inspect the SARIF report produced:
```yaml
- name: Inspect action SARIF report
run: cat ${{ steps.scan.outputs.sarif }}
- name: Inspect action SARIF report
run: cat ${{ steps.scan.outputs.sarif }}
```
## Contributing
Expand All @@ -178,15 +178,14 @@ We love contributions, feedback, and bug reports. For issues with the invocation
For contributing, see [Contributing](CONTRIBUTING.rst).
## More Information
For documentation on Grype itself, including other output capabilities, see the [grype project](https://github.com/anchore/grype)
Connect with the community directly on [slack](https://anchore.com/slack). These channels from Anchore's toolbox project are ideal for engaging development of help-related discussions:
* toolbox-dev
* toolbox-help
- toolbox-dev
- toolbox-help
[test]: https://github.com/anchore/scan-action
[test-img]: https://github.com/anchore/scan-action/workflows/Tests/badge.svg
Loading

0 comments on commit 5fd84ca

Please sign in to comment.