diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 969c0d0a4e..095fce75c6 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -41,6 +41,9 @@ jobs: name: Build OSS base images runs-on: ubuntu-22.04 needs: checks + permissions: + contents: read + pull-requests: write # for scout report strategy: fail-fast: false matrix: @@ -108,6 +111,9 @@ jobs: name: Build Plus base images runs-on: ubuntu-22.04 needs: checks + permissions: + contents: read + pull-requests: write # for scout report strategy: fail-fast: false matrix: @@ -177,6 +183,9 @@ jobs: name: Build Plus NAP base images runs-on: ubuntu-22.04 needs: checks + permissions: + contents: read + pull-requests: write # for scout report strategy: fail-fast: false matrix: diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 8d5fbce4cc..ef4e34a801 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -47,6 +47,10 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results id-token: write # for OIDC login to GCR packages: write # for docker/build-push-action to push to GHCR + pull-requests: write # for scout report + outputs: + version: ${{ steps.meta.outputs.version }} + image_digest: ${{ steps.build-push.outputs.digest }} steps: - name: Checkout Repository uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 @@ -175,27 +179,46 @@ jobs: IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + - name: Make directory for security scan results + run: | + mkdir -p "${{ inputs.image }}-results/" + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0 continue-on-error: true with: image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }} format: "sarif" - output: "trivy-results-${{ inputs.image }}.sarif" + output: "${{ inputs.image }}-results/trivy.sarif" ignore-unfixed: "true" if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + - name: DockerHub Login for Docker Scount + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3 continue-on-error: true with: - sarif_file: "trivy-results-${{ inputs.image }}.sarif" + command: cves,recommendations + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + only-fixed: true + sarif-file: "${{ inputs.image }}-results/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - - name: Upload Scan Results + - name: Upload Scan Results to the cache uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 continue-on-error: true with: - name: "trivy-results-${{ inputs.image }}.sarif" - path: "trivy-results-${{ inputs.image }}.sarif" - if: always() + name: "${{ inputs.image }}-results" + path: "${{ inputs.image }}-results/" + if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index db5d2acbcf..2724f1226e 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -51,6 +51,7 @@ jobs: contents: read # for docker/build-push-action to read repo content security-events: write # for github/codeql-action/upload-sarif to upload SARIF results id-token: write # for OIDC login to AWS + pull-requests: write # for scout report runs-on: ubuntu-22.04 steps: - name: Checkout Repository @@ -195,8 +196,12 @@ jobs: ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} - - name: Extract image name for Trivy - id: trivy-tag + - name: Make directory for security scan results + run: | + mkdir -p "${{ inputs.image }}-results/" + + - name: Extract image name for Scans + id: scan-tag run: | tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]') echo "tag=$tag" >> $GITHUB_OUTPUT @@ -206,23 +211,38 @@ jobs: uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0 continue-on-error: true with: - image-ref: ${{ steps.trivy-tag.outputs.tag }} + image-ref: ${{ steps.scan-tag.outputs.tag }} format: "sarif" - output: "trivy-results-${{ inputs.image }}.sarif" + output: "${{ inputs.image }}-results/trivy.sarif" ignore-unfixed: "true" if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + - name: DockerHub Login for Docker Scount + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3 continue-on-error: true with: - sarif_file: "trivy-results-${{ inputs.image }}.sarif" + command: cves,recommendations + image: ${{ steps.scan-tag.outputs.tag }} + ignore-base: true + only-fixed: true + sarif-file: "${{ inputs.image }}-results/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - name: Upload Scan Results uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 continue-on-error: true with: - name: "trivy-results-${{ inputs.image }}.sarif" - path: "trivy-results-${{ inputs.image }}.sarif" - if: always() + name: "${{ inputs.image }}-results" + path: "${{ inputs.image }}-results/" + if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml index 33fda78f6f..55f3fbde22 100644 --- a/.github/workflows/cache-update.yml +++ b/.github/workflows/cache-update.yml @@ -60,6 +60,7 @@ jobs: security-events: write id-token: write packages: write + pull-requests: write # for scout report secrets: inherit build-docker-plus: @@ -89,6 +90,7 @@ jobs: contents: read security-events: write id-token: write + pull-requests: write # for scout report secrets: inherit build-docker-nap: @@ -161,4 +163,5 @@ jobs: contents: read security-events: write id-token: write + pull-requests: write # for scout report secrets: inherit diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a71460a67..377a970f05 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -303,6 +303,7 @@ jobs: security-events: write id-token: write packages: write + pull-requests: write # for scout report secrets: inherit build-docker-plus: @@ -333,6 +334,7 @@ jobs: contents: read security-events: write id-token: write + pull-requests: write # for scout report secrets: inherit build-docker-nap: @@ -406,6 +408,7 @@ jobs: contents: read security-events: write id-token: write + pull-requests: write # for scout report secrets: inherit helm-tests: @@ -774,5 +777,6 @@ jobs: actions: read packages: write # for helm to push to GHCR security-events: write + pull-requests: write # for scout report uses: ./.github/workflows/image-promotion.yml if: ${{ inputs.force && inputs.force || false }} diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index af1e55dbed..80725d943b 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -173,6 +173,7 @@ jobs: security-events: write id-token: write packages: write + pull-requests: write # for scout report secrets: inherit build-docker-plus: @@ -205,6 +206,7 @@ jobs: security-events: write id-token: write packages: write + pull-requests: write # for scout report secrets: inherit build-docker-nap: @@ -280,6 +282,7 @@ jobs: security-events: write id-token: write packages: write + pull-requests: write # for scout report secrets: inherit tag-stable: diff --git a/build/Dockerfile b/build/Dockerfile index 20aaa3b4a5..55017d3635 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -15,7 +15,7 @@ FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c763 FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 as alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc as alpine-fips-3.19 FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal -FROM golang:1.22-alpine@sha256:9bdd5692d39acc3f8d0ea6f81327f87ac6b473dd29a2b6006df362bff48dd1f8 as golang-builder +FROM golang:1.22-alpine@sha256:6522f0ca555a7b14c46a2c9f50b86604a234cdc72452bf6a268cae6461d9000b as golang-builder ############################################# Base image for Alpine ############################################# diff --git a/tests/Dockerfile b/tests/Dockerfile index 6e721e87e8..57bffe74b5 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a79 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.15.1 -FROM python:3.12@sha256:00389e020fe42a6c74a8f091ce9b28324422d084efdff26eabe93bc4ae9a110b +FROM python:3.12@sha256:4584ea46d313a10e849eb7c5ef36be14773418233516ceaa9e52a8ff7d5e35a5 RUN apt-get update \ && apt-get install -y curl git \