Ci: Scheduled Trivy Scans of Eraser Images (#858)

Signed-off-by: Fabian Gonzalez <fabiangonz98@gmail.com>

.github/workflows/README.md

@@ -0,0 +1,21 @@
+# GitHub Workflows
+
+This directory contains all of our workflows used in our GitHub CI/CD pipeline.
+
+## Descriptions
+
+### [Scan Images for Vulnerabilities (Trivy)](scan-images.yaml)
+Our images are scheduled to be scanned for vulnerabilities using Trivy every Monday at 07:00 UTC.
+
+#### Weekly Scans
+By default, our images are built from the `main` branch, and any vulnerabilities caught are published in the [Github Security tab](https://github.com/eraser-dev/eraser/security).
+
+#### Dispatching a Scan
+We can do a manual dispatch of the workflow and specify the released version to scan, e.g. `v1.3.0-beta.0`. If left blank, the image will be built off of the branch the workflow is dispatched from.
+
+If we want to publish those results to our [Github Security tab](https://github.com/eraser-dev/eraser/security), we need to toggle the `upload-results` input to `true`.
+
+#### Scan Results
+The scan results are automatically stored in the run artifacts. Those can be accessed by going into the workflow run, and under the run's **Summary** there is an **Artifacts** section storing all the images' scan results.
+
+If the `upload-results` input is set to `true`, any vulnerabilities found will be published in the [Github Security tab](https://github.com/eraser-dev/eraser/security).

.github/workflows/scan-images.yaml

@@ -0,0 +1,93 @@
+name: Scan Images for Vulnerabilities (Trivy)
+run-name: Scan ${{ inputs.version == '' && github.ref_name || inputs.version }} images for vulnerabilities ${{ github.event_name == 'schedule' && '(scheduled)' || '' }}
+on:
+ schedule:
+ - cron: "0 7 * * 1" # Run every Monday at 7:00 AM UTC
+ workflow_dispatch:
+ inputs:
+ version:
+ description: "Version of Eraser to run Trivy scans against. Leave empty to scan images built from the branch the action is running against."
+ type: string
+ required: false
+ default: ""
+ upload-results:
+ description: "Upload results to Github Security?"
+ type: boolean
+ required: true
+ default: false
+
+permissions: read-all
+
+env:
+ # Scanning released versions require the project `eraser-dev` as part of the registry name.
+ REGISTRY: ghcr.io/${{ github.event.inputs.version == '' && 'eraser-test' || 'eraser-dev' }}
+ TAG: ${{ github.event.inputs.version == '' && 'test' || github.event.inputs.version }}
+
+jobs:
+ scan_vulnerabilities:
+ name: Scan ${{ matrix.data.image }} for vulnerabilities
+ runs-on: ubuntu-latest
+ timeout-minutes: 15
+ strategy:
+ matrix:
+ data:
+ - {image: remover, build_cmd: docker-build-remover, repo_environment_var: REMOVER_REPO}
+ - {image: eraser-manager, build_cmd: docker-build-manager, repo_environment_var: MANAGER_REPO}
+ - {image: collector, build_cmd: docker-build-collector, repo_environment_var: COLLECTOR_REPO}
+ - {image: eraser-trivy-scanner, build_cmd: docker-build-trivy-scanner, repo_environment_var: TRIVY_SCANNER_REPO}
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ with:
+ egress-policy: audit
+
+ - name: Check out code
+ if: github.event_name == 'schedule' || github.event.inputs.version == ''
+ uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+ - name: Build image
+ if: github.event_name == 'schedule' || github.event.inputs.version == ''
+ run: |
+ make ${{ matrix.data.build_cmd }} VERSION=${{ env.TAG }} ${{ matrix.data.repo_environment_var }}=${{ env.REGISTRY }}/${{ matrix.data.image }}
+
+ - name: Scan for vulnerabilities
+ uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
+ with:
+ image-ref: ${{ env.REGISTRY }}/${{ matrix.data.image }}:${{ env.TAG }}
+ vuln-type: 'os,library'
+ ignore-unfixed: true
+ format: 'sarif'
+ output: ${{ matrix.data.image }}-results.sarif
+
+ - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+ with:
+ name: ${{ matrix.data.image }} Scan Results
+ path: ${{ matrix.data.image }}-results.sarif
+
+ upload_vulnerabilities:
+ name: Upload ${{ matrix.image }} results to GitHub Security
+ runs-on: ubuntu-latest
+ needs: scan_vulnerabilities
+ if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.upload-results == 'true')
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ strategy:
+ matrix:
+ image: [remover, eraser-manager, collector, eraser-trivy-scanner]
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ with:
+ egress-policy: audit
+
+ - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+ with:
+ name: ${{ matrix.image }} Scan Results
+ path: ${{ matrix.image }}-results.sarif
+
+ - name: Upload results to GitHub Security
+ uses: github/codeql-action/upload-sarif@798e74c57dbcad53929892efdf30dfafe12c8c37 # v2.14.4
+ with:
+ sarif_file: ${{ matrix.image }}-results.sarif

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.6
 
 ARG BUILDERIMAGE="golang:1.20-bullseye"
-ARG TRIVY_BINARY_IMG="ghcr.io/aquasecurity/trivy:0.44.0"
+ARG TRIVY_BINARY_IMG="ghcr.io/aquasecurity/trivy:0.45.1"
 ARG STATICBASEIMAGE="gcr.io/distroless/static:latest"
 ARG STATICNONROOTBASEIMAGE="gcr.io/distroless/static:nonroot"
 ARG BUILDKIT_SBOM_SCAN_STAGE=builder,manager-build,collector-build,remover-build,trivy-scanner-build

Makefile

@@ -9,7 +9,7 @@ REMOVER_TAG ?= ${VERSION}
 TRIVY_SCANNER_REPO ?= ghcr.io/eraser-dev/eraser-trivy-scanner
 TRIVY_SCANNER_IMG ?= ${TRIVY_SCANNER_REPO}:${TRIVY_SCANNER_TAG}
 TRIVY_BINARY_REPO ?= ghcr.io/aquasecurity/trivy
-TRIVY_BINARY_TAG ?= 0.43.0
+TRIVY_BINARY_TAG ?= 0.45.1
 TRIVY_BINARY_IMG ?= ${TRIVY_BINARY_REPO}:${TRIVY_BINARY_TAG}
 MANAGER_REPO ?= ghcr.io/eraser-dev/eraser-manager
 MANAGER_IMG ?= ${MANAGER_REPO}:${MANAGER_TAG}