chore: update security scanners (#1333)

ory · May 30, 2023 · 677c462 · 677c462
1 parent 06772e7
commit 677c462
Show file tree

Hide file tree

Showing 8 changed files with 56 additions and 37 deletions.
diff --git a/.docker/Dockerfile b/.docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17.3
+FROM alpine:3.18
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \

diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
@@ -1,10 +1,10 @@
-FROM alpine:3.17.3
+FROM alpine:3.18
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
 
-RUN apk --no-cache --latest upgrade
-RUN apk --no-cache --upgrade --latest add ca-certificates
+RUN apk --no-cache --latest upgrade &&\
+    apk --no-cache --upgrade --latest add ca-certificates
 
 COPY keto /usr/bin/keto
 

diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
@@ -1,31 +1,31 @@
-FROM golang:1.20.2-alpine3.16 AS builder
+FROM golang:1.20-alpine3.18 AS builder
 
 RUN apk -U --no-cache add build-base git gcc bash
 
 WORKDIR /go/src/github.com/ory/keto
 
-ADD go.mod go.mod
-ADD go.sum go.sum
+COPY go.mod go.mod
+COPY go.sum go.sum
 
-ADD proto/go.mod proto/go.mod
-ADD proto/go.sum proto/go.sum
+COPY proto/go.mod proto/go.mod
+COPY proto/go.sum proto/go.sum
 
 ENV CGO_ENABLED 1
 
 RUN go mod download
 
-ADD . .
+COPY . .
 
 RUN go build -buildvcs=false -tags sqlite -o /usr/bin/keto .
 
-FROM alpine:3.17.3
+FROM alpine:3.18
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
     chown -R ory:ory /home/ory
 
-RUN apk --no-cache --latest upgrade
-RUN apk --no-cache --upgrade --latest add ca-certificates
+RUN apk --no-cache --latest upgrade &&\
+    apk --no-cache --upgrade --latest add ca-certificates
 
 COPY --from=builder /usr/bin/keto /usr/bin/keto
 

diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite
@@ -1,4 +1,4 @@
-FROM alpine:3.17.3
+FROM alpine:3.18
 
 # Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
 # and declare /home/ory/sqlite a volume.
@@ -11,8 +11,8 @@ RUN addgroup -S ory; \
     adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
     chown -R ory:ory /home/ory
 
-RUN apk --no-cache --latest upgrade
-RUN apk --no-cache --upgrade --latest add ca-certificates
+RUN apk --no-cache --latest upgrade &&\
+    apk --no-cache --upgrade --latest add ca-certificates
 
 WORKDIR /home/ory
 

diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -8,7 +8,6 @@ on:
   pull_request:
     branches:
       - "master"
-  merge_group:
 
 jobs:
   scanners:
@@ -20,47 +19,66 @@ jobs:
         id: vars
         shell: bash
         run: |
-          echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-          echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: Build images
         shell: bash
         run: |
-          touch keto
-          DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} -t oryd/keto:${{ steps.vars.outputs.sha_short }} .
-          rm keto
+          IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
       - name: Anchore Scanner
         uses: anchore/scan-action@v3
         id: grype-scan
         with:
-          image: oryd/keto:${{ steps.vars.outputs.sha_short }}
+          image: oryd/keto:${{ env.SHA_SHORT }}
           fail-build: true
           severity-cutoff: high
-          acs-report-enable: true
+          add-cpes-if-none: true
       - name: Inspect action SARIF report
         shell: bash
         if: ${{ always() }}
         run: |
           echo "::group::Anchore Scan Details"
           jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }}
           echo "::endgroup::"
+      - name: Anchore upload scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/keto:${{ steps.vars.outputs.sha_short }}
+          image-ref: oryd/keto:${{ env.SHA_SHORT }}
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
+          scanners: "vuln,secret,config"
       - name: Dockle Linter
-        uses: erzz/[email protected].1
+        uses: erzz/[email protected].2
         if: ${{ always() }}
         with:
-          image: oryd/keto:${{ steps.vars.outputs.sha_short }}
+          image: oryd/keto:${{ env.SHA_SHORT }}
           exit-code: 42
-          failure-threshold: fatal
+          failure-threshold: high
+      - name: Hadolint
+        uses: hadolint/[email protected]
+        id: hadolint
+        if: ${{ always() }}
+        with:
+          dockerfile: .docker/Dockerfile-build
+          verbose: true
+          format: "json"
+          failure-threshold: "error"
+      - name: View Hadolint results
+        if: ${{ always() }}
+        shell: bash
+        run: |
+          echo "::group::Hadolint Scan Details"
+          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "::endgroup::"
diff --git a/Makefile b/Makefile
@@ -1,7 +1,8 @@
 SHELL=/bin/bash -o pipefail
 
-export PWD := $(shell pwd)
-export PATH := ${PWD}/.bin:${PATH}
+export PWD				:= $(shell pwd)
+export PATH				:= ${PWD}/.bin:${PATH}
+export IMAGE_TAG	:= $(if $(IMAGE_TAG),$(IMAGE_TAG),latest)
 
 GO_DEPENDENCIES = golang.org/x/tools/cmd/goimports \
 				  github.com/mattn/goveralls \
@@ -56,7 +57,7 @@ install:
 
 .PHONY: docker
 docker:
-	docker build -t oryd/keto:latest -f .docker/Dockerfile-build .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -t oryd/keto:${IMAGE_TAG} -f .docker/Dockerfile-build .
 
 # Generates the SDKs
 .PHONY: sdk

diff --git a/go.mod b/go.mod
@@ -44,7 +44,7 @@ require (
 	golang.org/x/oauth2 v0.6.0
 	golang.org/x/sync v0.1.0
 	google.golang.org/grpc v1.53.0
-	google.golang.org/protobuf v1.29.0
+	google.golang.org/protobuf v1.30.0
 )
 
 require (
@@ -65,7 +65,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/docker/cli v20.10.23+incompatible // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v20.10.24+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect

diff --git a/go.sum b/go.sum
@@ -148,8 +148,8 @@ github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUn
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/cli v20.10.23+incompatible h1:qwyha/T3rXk9lfuVcn533cKFc7n/6IzL5GXVAgMVPBg=
 github.com/docker/cli v20.10.23+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
-github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v20.10.24+incompatible h1:Ugvxm7a8+Gz6vqQYQQ2W7GYq5EUPaAiuPgIfVyI3dYE=
 github.com/docker/docker v20.10.24+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -1323,8 +1323,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.29.0 h1:44S3JjaKmLEE4YIkjzexaP+NzZsudE3Zin5Njn/pYX0=
-google.golang.org/protobuf v1.29.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=