From c617bcc08805622e6997a0b9fd25aea4334a4df8 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Thu, 9 Feb 2023 18:39:55 -0600 Subject: [PATCH 1/2] =?UTF-8?q?(feat/container-scanning):=20Integrate=20co?= =?UTF-8?q?ntainer=20and=20cve=20scanning=20post=20=E2=80=A6=20(#10272)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * (feat/container-scanning): Integrate container and cve scanning post publishing * build/ENGEN-844 review (#10273) * chore(gha): cleanup trailing whitespace * chore(gha): simplify release scan image as ENV * chore(gha): simplify release scan logic * fix(gha): release scan IMAGE context * chore(gha): fix scan manifest output redirection --------- Co-authored-by: Isa Farnik --- .github/matrix-commitly.yml | 2 - .github/matrix-full.yml | 6 -- .github/workflows/release.yml | 100 +++++++++++++++++++++++----------- 3 files changed, 68 insertions(+), 40 deletions(-) diff --git a/.github/matrix-commitly.yml b/.github/matrix-commitly.yml index 4b8db419512..22ce53b4445 100644 --- a/.github/matrix-commitly.yml +++ b/.github/matrix-commitly.yml @@ -14,8 +14,6 @@ build-images: smoke-tests: - label: ubuntu -scan-vulnerabilities: - release-packages: release-images: diff --git a/.github/matrix-full.yml b/.github/matrix-full.yml index 7a4594d1d3b..7e38754ab25 100644 --- a/.github/matrix-full.yml +++ b/.github/matrix-full.yml @@ -102,12 +102,6 @@ smoke-tests: - label: rhel - label: alpine -scan-vulnerabilities: -- label: ubuntu -- label: debian -- label: rhel -- label: alpine - release-packages: # Ubuntu - label: ubuntu-18.04 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fdf49e3d3ed..5bbeed1517a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -151,7 +151,7 @@ jobs: if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' run: | sudo apt-get update && sudo apt-get install libyaml-dev -y - + - name: Install Ubuntu Cross Build Dependencies (arm64) if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' && endsWith(matrix.label, 'arm64') run: | @@ -323,9 +323,73 @@ jobs: Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}` Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + scan: + name: Scan - ${{ matrix.label }} + needs: [metadata, build-images] + runs-on: ubuntu-22.04 + if: |- + always() + && fromJSON(needs.metadata.outputs.matrix)['build-images'] != '' + && needs.build-images.result == 'success' + && (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')) + strategy: + fail-fast: false + matrix: + include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}" + env: + IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }} + steps: + - name: Install regctl + uses: regclient/actions/regctl-installer@main + + - name: Login to Docker Hub + if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN }} + uses: docker/login-action@bc135a1993a1d0db3e9debefa0cfcb70443cc94c + with: + username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} + password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} + + # TODO: Refactor matrix file to support and parse platforms specific to distro + # Workaround: Look for specific amd64 and arm64 hardcooded architectures + - name: Parse Architecture Specific Image Manifest Digests + id: image_manifest_metadata + run: | + manifest_list_exists="$( + if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then + echo true + else + echo false + fi + )" + echo "manifest_list_exists=$manifest_list_exists" + echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT + + amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')" + arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')" + echo "amd64_sha=$amd64_sha" + echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT + echo "arm64_sha=$arm64_sha" + echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT + + - name: Scan AMD64 Image digest + id: sbom_action_amd64 + if: steps.image_manifest_metadata.outputs.amd64_sha != '' + uses: Kong/public-shared-actions/security-actions/scan-docker-image@b2e4a29d30382e1cceeda8df1e8b8bee65bef39b + with: + asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-amd64 + image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }} + + - name: Scan ARM64 Image digest + if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' + id: sbom_action_arm64 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@b2e4a29d30382e1cceeda8df1e8b8bee65bef39b + with: + asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-arm64 + image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }} + smoke-tests: name: Smoke Tests - ${{ matrix.label }} - needs: [metadata, build-images] + needs: [metadata, build-images, scan] runs-on: ubuntu-22.04 if: |- fromJSON(needs.metadata.outputs.matrix)['smoke-tests'] != '' @@ -381,37 +445,9 @@ jobs: - name: Smoke Tests - Admin API run: build/tests/01-admin-api.sh - scan-vulnerabilities: - name: Scan Vulnerabilities - ${{ matrix.label }} - needs: [metadata, build-images] - runs-on: ubuntu-22.04 - if: |- - fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != '' - && (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')) - - strategy: - # runs all jobs sequentially - max-parallel: 1 - fail-fast: false - matrix: - include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}" - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0 - env: - TRIVY_USERNAME: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} - TRIVY_PASSWORD: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} - with: - image-ref: ${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.sha }}-${{ matrix.label }} - severity: 'CRITICAL,HIGH' - release-packages: name: Release Packages - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }} - needs: [metadata, build-packages, build-images, smoke-tests] + needs: [metadata, build-packages, scan, smoke-tests] runs-on: ubuntu-22.04 if: fromJSON(needs.metadata.outputs.matrix)['release-packages'] != '' timeout-minutes: 5 # PULP takes a while to publish @@ -450,7 +486,7 @@ jobs: release-images: name: Release Images - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }} - needs: [metadata, build-images, smoke-tests] + needs: [metadata, build-images, scan, smoke-tests] runs-on: ubuntu-22.04 strategy: From e407ed90ebe18af5ad1d0eede0fd21fb9c5dba6b Mon Sep 17 00:00:00 2001 From: saisatish karra Date: Mon, 13 Feb 2023 16:44:52 -0600 Subject: [PATCH 2/2] fix(cd): remove container scan dependency --- .github/matrix-commitly.yml | 3 +++ .github/matrix-full.yml | 6 ++++++ .github/workflows/release.yml | 10 +++++----- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/matrix-commitly.yml b/.github/matrix-commitly.yml index 22ce53b4445..ca0328973cb 100644 --- a/.github/matrix-commitly.yml +++ b/.github/matrix-commitly.yml @@ -14,6 +14,9 @@ build-images: smoke-tests: - label: ubuntu +scan-vulnerabilities: +- label: ubuntu + release-packages: release-images: diff --git a/.github/matrix-full.yml b/.github/matrix-full.yml index 7e38754ab25..7a4594d1d3b 100644 --- a/.github/matrix-full.yml +++ b/.github/matrix-full.yml @@ -102,6 +102,12 @@ smoke-tests: - label: rhel - label: alpine +scan-vulnerabilities: +- label: ubuntu +- label: debian +- label: rhel +- label: alpine + release-packages: # Ubuntu - label: ubuntu-18.04 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5bbeed1517a..7c0fa9b3c16 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -329,13 +329,13 @@ jobs: runs-on: ubuntu-22.04 if: |- always() - && fromJSON(needs.metadata.outputs.matrix)['build-images'] != '' + && fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != '' && needs.build-images.result == 'success' && (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')) strategy: fail-fast: false matrix: - include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}" + include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}" env: IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }} steps: @@ -389,7 +389,7 @@ jobs: smoke-tests: name: Smoke Tests - ${{ matrix.label }} - needs: [metadata, build-images, scan] + needs: [metadata, build-images] runs-on: ubuntu-22.04 if: |- fromJSON(needs.metadata.outputs.matrix)['smoke-tests'] != '' @@ -447,7 +447,7 @@ jobs: release-packages: name: Release Packages - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }} - needs: [metadata, build-packages, scan, smoke-tests] + needs: [metadata, build-packages, build-images, smoke-tests] runs-on: ubuntu-22.04 if: fromJSON(needs.metadata.outputs.matrix)['release-packages'] != '' timeout-minutes: 5 # PULP takes a while to publish @@ -486,7 +486,7 @@ jobs: release-images: name: Release Images - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }} - needs: [metadata, build-images, scan, smoke-tests] + needs: [metadata, build-images, smoke-tests] runs-on: ubuntu-22.04 strategy: