Skip to content

Commit

Permalink
add docker scout scan to pipelines (#5759)
Browse files Browse the repository at this point in the history
  • Loading branch information
pdabelf5 authored Jun 19, 2024
1 parent 99d6a03 commit bd325f4
Show file tree
Hide file tree
Showing 8 changed files with 82 additions and 20 deletions.
9 changes: 9 additions & 0 deletions .github/workflows/build-base-images.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ jobs:
name: Build OSS base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -108,6 +111,9 @@ jobs:
name: Build Plus base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -177,6 +183,9 @@ jobs:
name: Build Plus NAP base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down
39 changes: 31 additions & 8 deletions .github/workflows/build-oss.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to GCR
packages: write # for docker/build-push-action to push to GHCR
pull-requests: write # for scout report
outputs:
version: ${{ steps.meta.outputs.version }}
image_digest: ${{ steps.build-push.outputs.digest }}
steps:
- name: Checkout Repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
Expand Down Expand Up @@ -175,27 +179,46 @@ jobs:
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}

- name: Make directory for security scan results
run: |
mkdir -p "${{ inputs.image }}-results/"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
continue-on-error: true
with:
image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
output: "${{ inputs.image }}-results/trivy.sarif"
ignore-unfixed: "true"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
- name: DockerHub Login for Docker Scount
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
continue-on-error: true
with:
sarif_file: "trivy-results-${{ inputs.image }}.sarif"
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ inputs.image }}-results/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Scan Results
- name: Upload Scan Results to the cache
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
continue-on-error: true
with:
name: "trivy-results-${{ inputs.image }}.sarif"
path: "trivy-results-${{ inputs.image }}.sarif"
if: always()
name: "${{ inputs.image }}-results"
path: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
40 changes: 30 additions & 10 deletions .github/workflows/build-plus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ jobs:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS
pull-requests: write # for scout report
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository
Expand Down Expand Up @@ -195,8 +196,12 @@ jobs:
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}

- name: Extract image name for Trivy
id: trivy-tag
- name: Make directory for security scan results
run: |
mkdir -p "${{ inputs.image }}-results/"
- name: Extract image name for Scans
id: scan-tag
run: |
tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
echo "tag=$tag" >> $GITHUB_OUTPUT
Expand All @@ -206,23 +211,38 @@ jobs:
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
continue-on-error: true
with:
image-ref: ${{ steps.trivy-tag.outputs.tag }}
image-ref: ${{ steps.scan-tag.outputs.tag }}
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
output: "${{ inputs.image }}-results/trivy.sarif"
ignore-unfixed: "true"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
- name: DockerHub Login for Docker Scount
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
continue-on-error: true
with:
sarif_file: "trivy-results-${{ inputs.image }}.sarif"
command: cves,recommendations
image: ${{ steps.scan-tag.outputs.tag }}
ignore-base: true
only-fixed: true
sarif-file: "${{ inputs.image }}-results/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Scan Results
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
continue-on-error: true
with:
name: "trivy-results-${{ inputs.image }}.sarif"
path: "trivy-results-${{ inputs.image }}.sarif"
if: always()
name: "${{ inputs.image }}-results"
path: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
3 changes: 3 additions & 0 deletions .github/workflows/cache-update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -89,6 +90,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -161,4 +163,5 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit
4 changes: 4 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -333,6 +334,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -406,6 +408,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

helm-tests:
Expand Down Expand Up @@ -774,5 +777,6 @@ jobs:
actions: read
packages: write # for helm to push to GHCR
security-events: write
pull-requests: write # for scout report
uses: ./.github/workflows/image-promotion.yml
if: ${{ inputs.force && inputs.force || false }}
3 changes: 3 additions & 0 deletions .github/workflows/image-promotion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -205,6 +206,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -280,6 +282,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

tag-stable:
Expand Down
2 changes: 1 addition & 1 deletion build/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c763
FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 as alpine-fips-3.17
FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc as alpine-fips-3.19
FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal
FROM golang:1.22-alpine@sha256:9bdd5692d39acc3f8d0ea6f81327f87ac6b473dd29a2b6006df362bff48dd1f8 as golang-builder
FROM golang:1.22-alpine@sha256:6522f0ca555a7b14c46a2c9f50b86604a234cdc72452bf6a268cae6461d9000b as golang-builder


############################################# Base image for Alpine #############################################
Expand Down
2 changes: 1 addition & 1 deletion tests/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ FROM kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a79
# this is here so we can grab the latest version of skopeo and have dependabot keep it up to date
FROM quay.io/skopeo/stable:v1.15.1

FROM python:3.12@sha256:00389e020fe42a6c74a8f091ce9b28324422d084efdff26eabe93bc4ae9a110b
FROM python:3.12@sha256:4584ea46d313a10e849eb7c5ef36be14773418233516ceaa9e52a8ff7d5e35a5

RUN apt-get update \
&& apt-get install -y curl git \
Expand Down

0 comments on commit bd325f4

Please sign in to comment.