Skip to content

Commit

Permalink
Merge pull request ratify-project#1875 from ratify-project/dev
Browse files Browse the repository at this point in the history
  • Loading branch information
binbin-li authored Oct 22, 2024
2 parents 6280f46 + 44abd8b commit f3c8f92
Show file tree
Hide file tree
Showing 21 changed files with 675 additions and 98 deletions.
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile

# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.22-bullseye, 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:bdecb4ca0d168e7bd73b01e475d017aac0888ee22c7d4998a09858ab95157669
FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:46f85d17eff2b121269b4ed547eb366c2499b5f549d8eaa16fbe6e38f04dfb93

# [Choice] Node.js version: none, lts/*, 18, 16, 14
ARG NODE_VERSION="none"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,12 @@ jobs:
with:
go-version: "1.22"
- name: Initialize CodeQL
uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # tag=v3.26.12
uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
with:
languages: go
- name: Run tidy
run: go mod tidy
- name: Build CLI
run: make build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # tag=v3.26.12
uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
2 changes: 1 addition & 1 deletion .github/workflows/e2e-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ jobs:
make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ secrets.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ secrets.AZURE_SP_OBJECT_ID }}
- name: Upload artifacts
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ always() }}
with:
name: e2e-logs-aks-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-k8s.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ jobs:
kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
- name: Upload artifacts
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ always() }}
with:
name: e2e-logs-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/high-availability.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:
kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.DAPR_VERSION }}.json
kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.DAPR_VERSION }}.json
- name: Upload artifacts
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ always() }}
with:
name: e2e-logs-${{ matrix.DAPR_VERSION }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/quick-start.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ jobs:
kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-config-policy.json
kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-config-policy.json
- name: Upload artifacts
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ always() }}
with:
name: e2e-logs-${{ matrix.KUBERNETES_VERSION }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
fetch-depth: 0

- name: Install Syft
uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
uses: anchore/sbom-action/download-syft@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4

- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
Expand All @@ -49,7 +49,7 @@ jobs:
$RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ratify -pv $GITHUB_REF_NAME -ps Microsoft -nsb https://microsoft.com -V Verbose
- name: Upload a Build Artifact
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # tag=v4.4.1
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
with:
name: SBOM SPDX files
path: _manifest/spdx_2.2/**
70 changes: 50 additions & 20 deletions .github/workflows/scan-vulns.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ jobs:
name: "[Trivy] Scan for vulnerabilities"
runs-on: ubuntu-22.04
timeout-minutes: 15
env:
TRIVY_VERSION: v0.49.1
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
Expand All @@ -46,30 +48,58 @@ jobs:
- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871

- name: Download trivy
run: |
pushd $(mktemp -d)
wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
echo "$(pwd)" >> $GITHUB_PATH
env:
TRIVY_VERSION: "0.46.0"
- name: Manual Trivy Setup
uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1
with:
cache: true
version: ${{ env.TRIVY_VERSION }}

- name: Run trivy on git repository
run: |
trivy fs --format table --ignore-unfixed --scanners vuln .
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
ignore-unfixed: true
scanners: 'vuln'
version: ${{ env.TRIVY_VERSION }}

- name: Build docker images
run: |
make e2e-build-local-ratify-image
make e2e-build-crd-image
- name: Run trivy on images for all severity
run: |
for img in "localbuild:test" "localbuildcrd:test"; do
trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
done
- name: Run trivy on images and exit on HIGH severity
run: |
for img in "localbuild:test" "localbuildcrd:test"; do
trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}"
done
- name: Run Trivy vulnerability scanner on localbuild:test
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuildcrd:test
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
severity: 'HIGH,CRITICAL'
exit-code: '1'
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
severity: 'HIGH,CRITICAL'
exit-code: '1'
version: ${{ env.TRIVY_VERSION }}
4 changes: 2 additions & 2 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,13 @@ jobs:
publish_results: true

- name: "Upload artifact"
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # tag=v4.4.1
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # tag=v3.26.12
uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
with:
sarif_file: results.sarif
45 changes: 32 additions & 13 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ test-e2e: generate-rotation-certs
EXPIRING_CERT_DIR=.staging/rotation/expiring-certs CERT_DIR=.staging/rotation GATEKEEPER_VERSION=${GATEKEEPER_VERSION} bats -t ${BATS_PLUGIN_TESTS_FILE}

.PHONY: test-e2e-cli
test-e2e-cli: e2e-dependencies e2e-create-local-registry e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup
test-e2e-cli: e2e-dependencies e2e-create-local-registry e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-trivy-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup
rm ${GOCOVERDIR} -rf
mkdir ${GOCOVERDIR} -p
RATIFY_DIR=${INSTALL_DIR} TEST_REGISTRY=${TEST_REGISTRY} ${GITHUB_WORKSPACE}/bin/bats -t ${BATS_CLI_TESTS_FILE}
Expand Down Expand Up @@ -459,14 +459,37 @@ e2e-sbom-setup:
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} ${TEST_REGISTRY}/sbom@`${GITHUB_WORKSPACE}/bin/oras discover --distribution-spec v1.1-referrers-api -o json --artifact-type application/spdx+json ${TEST_REGISTRY}/sbom:v0 | jq -r ".manifests[0].digest"`
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} ${TEST_REGISTRY}/all@`${GITHUB_WORKSPACE}/bin/oras discover --distribution-spec v1.1-referrers-api -o json --artifact-type application/spdx+json ${TEST_REGISTRY}/all:v0 | jq -r ".manifests[0].digest"`

e2e-trivy-setup:
rm -rf .staging/trivy
mkdir -p .staging/trivy

# Install Trivy
curl -L https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz --output .staging/trivy/trivy.tar.gz
tar -zxf .staging/trivy/trivy.tar.gz -C .staging/trivy

# Download vulnerability database in retry mode
max_retries=3; \
attempt=1; \
wait_time=2; \
while [ $$attempt -le $$max_retries ]; do \
echo "Attempt $$attempt of $$max_retries..."; \
if .staging/trivy/trivy image --download-db-only; then \
break; \
fi; \
if [ $$attempt -eq $$max_retries ]; then \
echo "Failed after $$max_retries attempts."; \
exit 1; \
fi; \
echo "Failed. Retrying in $$wait_time seconds..."; \
sleep $$wait_time; \
wait_time=$$(( wait_time * 2 )); \
attempt=$$(( attempt + 1 )); \
done

e2e-schemavalidator-setup:
rm -rf .staging/schemavalidator
mkdir -p .staging/schemavalidator

# Install Trivy
curl -L https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz --output .staging/schemavalidator/trivy.tar.gz
tar -zxf .staging/schemavalidator/trivy.tar.gz -C .staging/schemavalidator

# Build/Push Images
printf 'FROM ${ALPINE_IMAGE}\nCMD ["echo", "schemavalidator image"]' > .staging/schemavalidator/Dockerfile
docker buildx create --use
Expand All @@ -475,7 +498,7 @@ e2e-schemavalidator-setup:
rm .staging/schemavalidator/schemavalidator.tar

# Create/Attach Scan Results
.staging/schemavalidator/trivy image --format sarif --output .staging/schemavalidator/trivy-scan.sarif ${TEST_REGISTRY}/schemavalidator:v0
.staging/trivy/trivy image --skip-db-update --format sarif --output .staging/schemavalidator/trivy-scan.sarif ${TEST_REGISTRY}/schemavalidator:v0
${GITHUB_WORKSPACE}/bin/oras attach \
--artifact-type application/vnd.aquasecurity.trivy.report.sarif.v1 \
--distribution-spec v1.1-referrers-api \
Expand All @@ -491,10 +514,6 @@ e2e-vulnerabilityreport-setup:
rm -rf .staging/vulnerabilityreport
mkdir -p .staging/vulnerabilityreport

# Install Trivy
curl -L https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz --output .staging/vulnerabilityreport/trivy.tar.gz
tar -zxf .staging/vulnerabilityreport/trivy.tar.gz -C .staging/vulnerabilityreport

# Build/Push Image
printf 'FROM ${ALPINE_IMAGE_VULNERABLE}\nCMD ["echo", "vulnerabilityreport image"]' > .staging/vulnerabilityreport/Dockerfile
docker buildx create --use
Expand All @@ -503,7 +522,7 @@ e2e-vulnerabilityreport-setup:
rm .staging/vulnerabilityreport/vulnerabilityreport.tar

# Create/Attach Scan Result
.staging/vulnerabilityreport/trivy image --format sarif --output .staging/vulnerabilityreport/trivy-sarif.json ${TEST_REGISTRY}/vulnerabilityreport:v0
.staging/trivy/trivy image --skip-db-update --format sarif --output .staging/vulnerabilityreport/trivy-sarif.json ${TEST_REGISTRY}/vulnerabilityreport:v0
${GITHUB_WORKSPACE}/bin/oras attach \
--artifact-type application/sarif+json \
--distribution-spec v1.1-referrers-api \
Expand All @@ -524,7 +543,7 @@ e2e-inlinecert-setup:
.staging/notation/notation cert generate-test "alternate-cert"
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} --key "alternate-cert" ${TEST_REGISTRY}/notation@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/notation:signed-alternate --descriptor | jq .digest | xargs`

e2e-azure-setup: e2e-create-all-image e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-akv-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup
e2e-azure-setup: e2e-create-all-image e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-akv-setup e2e-licensechecker-setup e2e-sbom-setup e2e-trivy-setup e2e-schemavalidator-setup

e2e-deploy-gatekeeper: e2e-helm-install
./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
Expand Down Expand Up @@ -560,7 +579,7 @@ e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosi

rm mount_config.json

e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup e2e-inlinecert-setup e2e-build-crd-image load-build-crd-image e2e-build-local-ratify-image load-local-ratify-image e2e-helm-deploy-ratify
e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-trivy-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup e2e-inlinecert-setup e2e-build-crd-image load-build-crd-image e2e-build-local-ratify-image load-local-ratify-image e2e-helm-deploy-ratify

e2e-build-local-ratify-base-image:
docker build --progress=plain --no-cache \
Expand Down
1 change: 1 addition & 0 deletions charts/ratify/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| replicaCount | The number of Ratify replicas in deployment | 1 |
| affinity | Pod affinity for the Ratify deployment | `{}` |
| tolerations | Pod tolerations for the Ratify deployment | `[]` |
| env | Environment variables for Ratify container | `[]` |
| notationCerts | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier | `` |
| cosignKeys | An array of public keys used to create inline key management providers used by Cosign verifier | `[]` |
| notation.enabled | Enables/disables the built-in notation verifier. MUST be set to true for notation verification. | `true` |
Expand Down
3 changes: 3 additions & 0 deletions charts/ratify/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,9 @@ spec:
readOnly: true
{{- end }}
env:
{{- with .Values.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.logger.level }}
- name: RATIFY_LOG_LEVEL
value: {{ .Values.logger.level }}
Expand Down
7 changes: 6 additions & 1 deletion charts/ratify/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -169,4 +169,9 @@ akvCertConfig: # DEPRECATED: Use azurekeyvault instead
cert2Name: # DEPRECATED: Use azurekeyvault.certificates instead
cert2Version: # DEPRECATED: Use azurekeyvault.certificates instead
certificates: # DEPRECATED: Use azurekeyvault.certificates instead
tenantId: # DEPRECATED: Use azurekeyvault.tenantId instead
tenantId: # DEPRECATED: Use azurekeyvault.tenantId instead

# env: environment variables for ratify container
env: []
# - name: https_proxy
# value: http://proxy-server:80
Loading

0 comments on commit f3c8f92

Please sign in to comment.