Issue 6078 - Scan Docker images for vulnerabilities

.github/workflows/docker-cli-image.yaml

@@ -27,6 +27,8 @@ on:
 
 env:
   DEPENDENCIES_IMAGE: localhost:5000/sleeper-dependencies:current
+  TEMP_IMAGE: localhost:5000/sleeper-temp:current
+  TRIVY_IGNOREFILE: code-style/.trivyignore.cli.yaml
 
 jobs:
   build:
@@ -87,15 +89,31 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           context: ${{ inputs.context }}
-          push: ${{ inputs.pushImages }}
+          push: true
           sbom: false
           provenance: false
-          tags: ${{ inputs.pushTag }}
+          tags: ${{ env.TEMP_IMAGE }}
           platforms: ${{ inputs.platforms }}
           build-args: DEPENDENCIES_IMAGE=${{ env.DEPENDENCIES_IMAGE }}
           labels: |
             git-commit=${{ github.sha }}
             build-url=${{ inputs.buildUrl }}
+      - name: Pull image from registry
+        run: docker pull ${{ env.TEMP_IMAGE }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: ${{ env.TEMP_IMAGE }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          version: latest
+      - name: Retag image for GitHub
+        if: ${{ inputs.pushImages }}
+        run: docker tag ${{ env.TEMP_IMAGE }} ${{ inputs.pushTag }}
+      - name: Push image to GitHub
+        if: ${{ inputs.pushImages }}
+        run: docker push ${{ inputs.pushTag }}
       - name: Delete old images
         if: ${{ inputs.pushImages }}
         working-directory: ./java/build

.github/workflows/docker-cli.yaml

@@ -10,6 +10,7 @@ env:
   DOCKER_PLATFORMS: linux/amd64,linux/arm64/v8
   DEPENDENCIES_IMAGE: localhost:5000/sleeper-dependencies:current
   BUILD_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+  TRIVY_IGNOREFILE: code-style/.trivyignore.cli.yaml
 
 jobs:
   setup:
@@ -49,6 +50,14 @@ jobs:
             build-url=${{ env.BUILD_URL }}
       - name: Pull dependencies image from registry
         run: docker pull ${{ env.DEPENDENCIES_IMAGE }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: ${{ env.DEPENDENCIES_IMAGE }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          version: latest
       - name: Save dependencies image to tarball
         run: docker save ${{ env.DEPENDENCIES_IMAGE }} --output /tmp/dependencies-image.tar
       - name: Upload dependencies image as artifact

.github/workflows/docker-image-nightly.yaml

@@ -0,0 +1,104 @@
+name: Nightly Docker Image Tests
+on:
+  workflow_dispatch: # Allow manual running to refresh/check cache
+  schedule:
+    - cron: '0 2 * * *'
+  pull_request:
+    paths:
+      - '.github/workflows/docker-image-nightly.yaml'
+      - '.github/workflows/docker-image-test.yaml'
+
+jobs:
+  ingest:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: ingest
+  bulk-import-runner:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: bulk-import-runner
+  compaction-job-execution:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: compaction-job-execution
+      testClassNames: CompactionTaskDockerImageST
+  bulk-export-task-execution:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: bulk-export-task-execution
+  athena-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: athena-lambda
+      isLambda: true
+  bulk-import-starter-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: bulk-import-starter-lambda
+      isLambda: true
+  bulk-export-planner:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: bulk-export-planner
+      isLambda: true
+  bulk-export-task-creator:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: bulk-export-task-creator
+      isLambda: true
+  ingest-task-creator-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: ingest-task-creator-lambda
+      isLambda: true
+  ingest-batcher-submitter-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: ingest-batcher-submitter-lambda
+      isLambda: true
+  ingest-batcher-job-creator-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: ingest-batcher-job-creator-lambda
+      isLambda: true
+  garbage-collector-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: garbage-collector-lambda
+      isLambda: true
+  compaction-job-creator-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: compaction-job-creator-lambda
+      isLambda: true
+  compaction-task-creator-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: compaction-task-creator-lambda
+      isLambda: true
+  partition-splitter-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: partition-splitter-lambda
+      isLambda: true
+  query-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: query-lambda
+      isLambda: true
+      testClassNames: QueryLambdaDockerImageST
+  custom-resources-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: custom-resources-lambda
+      isLambda: true
+  metrics-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: metrics-lambda
+      isLambda: true
+  statestore-lambda:
+    uses: ./.github/workflows/docker-image-test.yaml
+    with:
+      imageName: statestore-lambda
+      isLambda: true

.github/workflows/docker-image-test.yaml

@@ -9,14 +9,15 @@ on:
         required: false
         type: boolean
       testClassNames:
-        required: true
+        required: false
         type: string
 
 env:
   RUST_BUILD_IMAGE_X86_64: "ghcr.io/gchq/sleeper-rust-builder-x86_64-sccache:latest"
   RUST_BUILD_IMAGE_AARCH64: "ghcr.io/gchq/sleeper-rust-builder-aarch64-sccache:latest"
   SCCACHE_GHA_ENABLED: "true"
   SSCACHE_CACHE_SIZE: "2G"
+  TRIVY_IGNOREFILE: code-style/.trivyignore.yaml
 
 jobs:
   build:
@@ -63,4 +64,13 @@ jobs:
         run: ./scripts/dev/buildDockerImage.sh ${{ inputs.imageName }} ${{ inputs.imageName }}:test --lambda=${{ inputs.isLambda }}
       - name: Docker image tests
         working-directory: ./java
+        if: ${{ inputs.testClassNames != '' }}
         run: mvn verify -PsystemTest -DskipRust=true -pl clients "-DrunIT=${{ inputs.testClassNames }}" -Dmaven.repo.local=${{ runner.temp }}/.m2/repository
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: '${{ inputs.imageName }}:test'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          version: latest

NOTICES

@@ -653,3 +653,6 @@ docker/build-push-action (https://github.com/marketplace/actions/build-and-push-
 
 - Apache License, Version 2.0
 
+aquasecurity/trivy-action (https://github.com/marketplace/actions/aqua-security-trivy)
+
+- Apache License, Version 2.0

code-style/.trivyignore.cli.yaml

@@ -0,0 +1,8 @@
+
+secrets:
+  - id: private-key
+    paths:
+      - "/etc/ssl/private/ssl-cert-snakeoil.key"
+    statement: |
+      A private key incorrectly included in the CLI dependencies Docker image.
+      See issue https://github.com/gchq/sleeper/issues/6213.

code-style/.trivyignore.yaml

@@ -0,0 +1,13 @@
+
+vulnerabilities:
+  - id: CVE-2024-6763
+    statement: |
+      A test dependency incorrectly included in the jar by Maven. See issue https://github.com/gchq/sleeper/issues/6108.
+  - id: CVE-2025-61729
+    statement: |
+      The AWS Lambda Runtime Interface Emulator is built on an older version of Go with vulnerabilities.
+      See issue https://github.com/gchq/sleeper/issues/6214.
+  - id: CVE-2025-61727
+    statement: |
+      The AWS Lambda Runtime Interface Emulator is built on an older version of Go with vulnerabilities.
+      See issue https://github.com/gchq/sleeper/issues/6214.

scripts/cli/builder/Dockerfile

@@ -33,6 +33,14 @@ RUN apt-get update && apt-get install -y \
     lsb-release wget software-properties-common gnupg \
     && rm -rf /var/lib/apt/lists/*
 
+# Install Trivy for vulnerability scanning
+RUN curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor --yes -o /etc/apt/keyrings/trivy.gpg
+RUN echo "deb [signed-by=/etc/apt/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main"  \
+    | tee /etc/apt/sources.list.d/trivy.list > /dev/null
+RUN apt-get update && apt-get install -y \
+    trivy \
+    && rm -rf /var/lib/apt/lists/*
+
 # Install Clang 20
 RUN wget -qO- https://apt.llvm.org/llvm.sh | bash -s -- 20 \
     && rm -rf /var/lib/apt/lists/*

scripts/cli/runInDocker.sh

@@ -46,6 +46,7 @@ run_in_docker() {
     -v /var/run/docker.sock:/var/run/docker.sock
     -v "$HOME/.aws:$HOME_IN_IMAGE/.aws"
     -v "$HOME/.ssh:$HOME_IN_IMAGE/.ssh"
+    -v "$HOME/.cache:$HOME_IN_IMAGE/.cache"
     -e "IN_CLI_CONTAINER=true"
     -e AWS_ACCESS_KEY_ID
     -e AWS_SECRET_ACCESS_KEY

scripts/dev/trivy.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-docker run -v $HOME/.trivy/cache:/root/.cache -v /var/run/docker.sock/:/var/run/docker.sock aquasec/trivy "$@"
+docker run -v $HOME/.cache/trivy:/root/.cache -v /var/run/docker.sock/:/var/run/docker.sock aquasec/trivy "$@"