From a16654df03ae0a73224e49b27341d1dfaca2d66e Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Mon, 18 Nov 2024 16:59:42 +0100 Subject: [PATCH 1/3] feat: updated cve-scan workflow, address ratelimiting for Trivy --- .github/workflows/cve-scan-old.yaml | 94 +++++++++++++++++++++++++++++ .github/workflows/cve-scan.yaml | 87 +++++++++++++++++++------- 2 files changed, 159 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/cve-scan-old.yaml diff --git a/.github/workflows/cve-scan-old.yaml b/.github/workflows/cve-scan-old.yaml new file mode 100644 index 000000000..ea1fe8df7 --- /dev/null +++ b/.github/workflows/cve-scan-old.yaml @@ -0,0 +1,94 @@ +name: Docker Image Scanners +on: + push: + branches: + - "master" + tags: + - "v*.*.*" + pull_request: + branches: + - "master" + merge_group: + +jobs: + scanners: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Env + id: vars + shell: bash + run: | + echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Build images + shell: bash + run: | + IMAGE_TAG="${{ env.SHA_SHORT }}" make docker + - name: Anchore Scanner + uses: anchore/scan-action@v3 + id: grype-scan + with: + image: oryd/keto:${{ env.SHA_SHORT }} + fail-build: true + severity-cutoff: high + add-cpes-if-none: true + - name: Inspect action SARIF report + shell: bash + if: ${{ always() }} + run: | + echo "::group::Anchore Scan Details" + jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }} + echo "::endgroup::" + - name: Anchore upload scan SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.grype-scan.outputs.sarif }} + # - name: Kubescape scanner + # uses: kubescape/github-action@main + # id: kubescape + # with: + # image: oryd/keto:${{ env.SHA_SHORT }} + # verbose: true + # format: pretty-printer + # # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 + # severityThreshold: critical + - name: Trivy Scanner + uses: aquasecurity/trivy-action@master + if: ${{ always() }} + with: + image-ref: oryd/keto:${{ env.SHA_SHORT }} + format: "table" + exit-code: "42" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + scanners: "vuln,secret,config" + - name: Dockle Linter + uses: erzz/dockle-action@v1.3.2 + if: ${{ always() }} + with: + image: oryd/keto:${{ env.SHA_SHORT }} + exit-code: 42 + failure-threshold: high + - name: Hadolint + uses: hadolint/hadolint-action@v3.1.0 + id: hadolint + if: ${{ always() }} + with: + dockerfile: .docker/Dockerfile-build + verbose: true + format: "json" + failure-threshold: "error" + - name: View Hadolint results + if: ${{ always() }} + shell: bash + run: | + echo "::group::Hadolint Scan Details" + echo "${HADOLINT_RESULTS}" | jq '.' + echo "::endgroup::" diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index ea1fe8df7..4d3a4552c 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -1,5 +1,6 @@ name: Docker Image Scanners on: + workflow_dispatch: push: branches: - "master" @@ -8,32 +9,70 @@ on: pull_request: branches: - "master" - merge_group: + +permissions: + contents: read + security-events: write jobs: scanners: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Env id: vars shell: bash run: | - echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" + # Store values in local variables + SHA_SHORT=$(git rev-parse --short HEAD) + REPO_NAME=${{ github.event.repository.name }} + + # Append -sqlite to SHA_SHORT if repo is hydra + if [ "${REPO_NAME}" = "hydra" ]; then + echo "Repo is hydra, appending -sqlite to SHA_SHORT" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite" + else + echo "Repo is not hydra, using default IMAGE_NAME" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" + fi + + # Output values for debugging + echo "Values to be set:" + echo "SHA_SHORT: ${SHA_SHORT}" + echo "REPO_NAME: ${REPO_NAME}" + echo "IMAGE_NAME: ${IMAGE_NAME}" + + # Set GitHub Environment variables + echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}" + echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}" - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build images shell: bash run: | IMAGE_TAG="${{ env.SHA_SHORT }}" make docker + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Configure Trivy + run: | + mkdir -p $HOME/.cache/trivy + echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV + echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + - name: Anchore Scanner - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v5 id: grype-scan with: - image: oryd/keto:${{ env.SHA_SHORT }} + image: ${{ env.IMAGE_NAME }} fail-build: true severity-cutoff: high add-cpes-if-none: true @@ -46,34 +85,38 @@ jobs: echo "::endgroup::" - name: Anchore upload scan SARIF report if: always() - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.grype-scan.outputs.sarif }} - # - name: Kubescape scanner - # uses: kubescape/github-action@main - # id: kubescape - # with: - # image: oryd/keto:${{ env.SHA_SHORT }} - # verbose: true - # format: pretty-printer - # # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 - # severityThreshold: critical + - name: Kubescape scanner + uses: kubescape/github-action@main + id: kubescape + with: + image: ${{ env.IMAGE_NAME }} + verbose: true + format: pretty-printer + # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 + severityThreshold: critical - name: Trivy Scanner uses: aquasecurity/trivy-action@master if: ${{ always() }} with: - image-ref: oryd/keto:${{ env.SHA_SHORT }} + image-ref: ${{ env.IMAGE_NAME }} format: "table" exit-code: "42" ignore-unfixed: true vuln-type: "os,library" severity: "CRITICAL,HIGH" - scanners: "vuln,secret,config" + scanners: "vuln,secret,misconfig" + env: + TRIVY_SKIP_JAVA_DB_UPDATE: "true" + TRIVY_DISABLE_VEX_NOTICE: "true" + - name: Dockle Linter - uses: erzz/dockle-action@v1.3.2 + uses: erzz/dockle-action@v1 if: ${{ always() }} with: - image: oryd/keto:${{ env.SHA_SHORT }} + image: ${{ env.IMAGE_NAME }} exit-code: 42 failure-threshold: high - name: Hadolint @@ -90,5 +133,5 @@ jobs: shell: bash run: | echo "::group::Hadolint Scan Details" - echo "${HADOLINT_RESULTS}" | jq '.' + echo "${HADOLINT_RESULTS}" | jq '.' echo "::endgroup::" From c8e5a13e8c53e79db6746e8e83cfb5bcca7a2f77 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Mon, 18 Nov 2024 17:07:30 +0100 Subject: [PATCH 2/3] chore: clean up --- .github/workflows/cve-scan-old.yaml | 94 ----------------------------- 1 file changed, 94 deletions(-) delete mode 100644 .github/workflows/cve-scan-old.yaml diff --git a/.github/workflows/cve-scan-old.yaml b/.github/workflows/cve-scan-old.yaml deleted file mode 100644 index ea1fe8df7..000000000 --- a/.github/workflows/cve-scan-old.yaml +++ /dev/null @@ -1,94 +0,0 @@ -name: Docker Image Scanners -on: - push: - branches: - - "master" - tags: - - "v*.*.*" - pull_request: - branches: - - "master" - merge_group: - -jobs: - scanners: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Env - id: vars - shell: bash - run: | - echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Build images - shell: bash - run: | - IMAGE_TAG="${{ env.SHA_SHORT }}" make docker - - name: Anchore Scanner - uses: anchore/scan-action@v3 - id: grype-scan - with: - image: oryd/keto:${{ env.SHA_SHORT }} - fail-build: true - severity-cutoff: high - add-cpes-if-none: true - - name: Inspect action SARIF report - shell: bash - if: ${{ always() }} - run: | - echo "::group::Anchore Scan Details" - jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }} - echo "::endgroup::" - - name: Anchore upload scan SARIF report - if: always() - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.grype-scan.outputs.sarif }} - # - name: Kubescape scanner - # uses: kubescape/github-action@main - # id: kubescape - # with: - # image: oryd/keto:${{ env.SHA_SHORT }} - # verbose: true - # format: pretty-printer - # # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 - # severityThreshold: critical - - name: Trivy Scanner - uses: aquasecurity/trivy-action@master - if: ${{ always() }} - with: - image-ref: oryd/keto:${{ env.SHA_SHORT }} - format: "table" - exit-code: "42" - ignore-unfixed: true - vuln-type: "os,library" - severity: "CRITICAL,HIGH" - scanners: "vuln,secret,config" - - name: Dockle Linter - uses: erzz/dockle-action@v1.3.2 - if: ${{ always() }} - with: - image: oryd/keto:${{ env.SHA_SHORT }} - exit-code: 42 - failure-threshold: high - - name: Hadolint - uses: hadolint/hadolint-action@v3.1.0 - id: hadolint - if: ${{ always() }} - with: - dockerfile: .docker/Dockerfile-build - verbose: true - format: "json" - failure-threshold: "error" - - name: View Hadolint results - if: ${{ always() }} - shell: bash - run: | - echo "::group::Hadolint Scan Details" - echo "${HADOLINT_RESULTS}" | jq '.' - echo "::endgroup::" From aa2c5fd20bbbba71cee056690d246c1d0215b97f Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Mon, 18 Nov 2024 17:23:39 +0100 Subject: [PATCH 3/3] chore: adding additional source --- .github/workflows/cve-scan.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 4d3a4552c..c65756004 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -111,6 +111,9 @@ jobs: env: TRIVY_SKIP_JAVA_DB_UPDATE: "true" TRIVY_DISABLE_VEX_NOTICE: "true" + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + + - name: Dockle Linter uses: erzz/dockle-action@v1