Vulnerability scan #134
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Vulnerability scan | |
| on: | |
| schedule: | |
| - cron: 45 5 * * * | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io/${{ github.repository_owner }}/bootc | |
| RELEASE_IMAGE: almalinux | |
| RELEASE_TAGS: "v9" | |
| CI_IMAGE: almalinux-ci | |
| CI_TAGS: "main" | |
| jobs: | |
| images: | |
| name: Generate a list of release and CI images | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| matrix: ${{ steps.list.outputs.images }} | |
| steps: | |
| - name: Generate image list | |
| id: list | |
| run: | | |
| #!/bin/bash | |
| set -xeo pipefail | |
| images="" | |
| for tag in $RELEASE_TAGS | |
| do | |
| images+="${REGISTRY}/${RELEASE_IMAGE}:${tag} " | |
| done | |
| for tag in $CI_TAGS | |
| do | |
| images+="${REGISTRY}/${CI_IMAGE}:${tag} " | |
| done | |
| images=$(echo $images | sed 's/\s+$//' | jq --raw-input 'split(" ")' | jq -r tostring) | |
| echo "images=$images" >> "$GITHUB_OUTPUT" | |
| scan: | |
| name: Scan container images and upload SARIF file | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| security-events: write | |
| needs: images | |
| strategy: | |
| matrix: | |
| image: ${{ fromJSON(needs.images.outputs.matrix) }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - name: Setup Cosign | |
| uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
| - name: Verify image | |
| id: verify | |
| run: | | |
| #!/bin/bash | |
| set -xeo pipefail | |
| digest=$(cosign verify --key cosign.pub ${{ matrix.image }} | jq -r '.[0].critical.image."docker-manifest-digest"') | |
| echo "digest=$digest" >> "$GITHUB_OUTPUT" | |
| - name: Get image metadata | |
| id: metadata | |
| run: | | |
| #!/bin/bash | |
| set -xeo pipefail | |
| image_no_tag=$(echo ${{ matrix.image }} | cut -f1 -d ':') | |
| commit=$(skopeo inspect docker://${image_no_tag}@${{ steps.verify.outputs.digest }} | jq -r '.Labels."org.opencontainers.image.revision"') | |
| ref="" | |
| image_name=$(echo $image_no_tag | sed -r 's/.+\/([^\/]+)$/\1/') | |
| if [[ $image_name == $RELEASE_IMAGE ]] | |
| then | |
| ref=refs/tags/v$(skopeo inspect docker://${image_no_tag}@${{ steps.verify.outputs.digest }} | jq -r '.Labels."org.opencontainers.image.version"') | |
| elif [[ $image_name == $CI_IMAGE ]] | |
| then | |
| ref=refs/heads/$(echo ${{ matrix.image }} | cut -f2 -d ':') | |
| else | |
| echo "Failed to obtain ref" | |
| exit 1 | |
| fi | |
| echo "commit=$commit" >> "$GITHUB_OUTPUT" | |
| echo "ref=$ref" >> "$GITHUB_OUTPUT" | |
| - name: Verify attestation and extract SBOM | |
| run: | | |
| #!/bin/bash | |
| set -xeo pipefail | |
| cosign verify-attestation --key cosign.pub ${{ matrix.image }} | jq -r .payload | base64 -d | jq -r .predicate.Data > sbom.syft.json | |
| - name: Scan SBOM with Grype | |
| uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2 | |
| id: scan | |
| with: | |
| sbom: sbom.syft.json | |
| fail-build: false | |
| output-format: sarif | |
| only-fixed: true | |
| grype-version: v0.78.0 | |
| - name: Upload image scan results to GitHub | |
| uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| ref: ${{ steps.metadata.outputs.ref }} | |
| sha: ${{ steps.metadata.outputs.commit }} |