Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add docker scout scan to pipelines #5759

Merged
merged 9 commits into from
Jun 19, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/build-base-images.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ jobs:
name: Build OSS base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -108,6 +111,9 @@ jobs:
name: Build Plus base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -177,6 +183,9 @@ jobs:
name: Build Plus NAP base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down
37 changes: 30 additions & 7 deletions .github/workflows/build-oss.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to GCR
packages: write # for docker/build-push-action to push to GHCR
pull-requests: write # for scout report
outputs:
version: ${{ steps.meta.outputs.version }}
image_digest: ${{ steps.build-push.outputs.digest }}
steps:
- name: Checkout Repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
Expand Down Expand Up @@ -175,27 +179,46 @@ jobs:
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}

- name: Make directory for security scan results
run: |
mkdir -p "${{ inputs.image }}-results/"

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
continue-on-error: true
with:
image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
output: "${{ inputs.image }}-results/trivy.sarif"
ignore-unfixed: "true"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Trivy scan results to GitHub Security tab
- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
continue-on-error: true
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ inputs.image }}-results/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Trivy/Scout scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
continue-on-error: true
with:
sarif_file: "trivy-results-${{ inputs.image }}.sarif"
sarif_file: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Scan Results
- name: Upload Scan Results to the cache
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
continue-on-error: true
with:
name: "trivy-results-${{ inputs.image }}.sarif"
path: "trivy-results-${{ inputs.image }}.sarif"
if: always()
name: "${{ inputs.image }}-results"
path: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
38 changes: 29 additions & 9 deletions .github/workflows/build-plus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ jobs:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS
pull-requests: write # for scout report
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository
Expand Down Expand Up @@ -195,8 +196,12 @@ jobs:
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}

- name: Extract image name for Trivy
id: trivy-tag
- name: Make directory for security scan results
run: |
mkdir -p "${{ inputs.image }}-results/"

- name: Extract image name for Scans
id: scan-tag
run: |
tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
echo "tag=$tag" >> $GITHUB_OUTPUT
Expand All @@ -206,23 +211,38 @@ jobs:
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
continue-on-error: true
with:
image-ref: ${{ steps.trivy-tag.outputs.tag }}
image-ref: ${{ steps.scan-tag.outputs.tag }}
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
output: "${{ inputs.image }}-results/trivy.sarif"
ignore-unfixed: "true"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Trivy scan results to GitHub Security tab
- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
continue-on-error: true
with:
command: cves,recommendations
image: ${{ steps.scan-tag.outputs.tag }}
ignore-base: true
only-fixed: true
sarif-file: "${{ inputs.image }}-results/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Security scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
continue-on-error: true
with:
sarif_file: "trivy-results-${{ inputs.image }}.sarif"
sarif_file: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Scan Results
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
continue-on-error: true
with:
name: "trivy-results-${{ inputs.image }}.sarif"
path: "trivy-results-${{ inputs.image }}.sarif"
if: always()
name: "${{ inputs.image }}-results"
path: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
3 changes: 3 additions & 0 deletions .github/workflows/cache-update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -89,6 +90,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -161,4 +163,5 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit
4 changes: 4 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -333,6 +334,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -406,6 +408,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

helm-tests:
Expand Down Expand Up @@ -774,5 +777,6 @@ jobs:
actions: read
packages: write # for helm to push to GHCR
security-events: write
pull-requests: write # for scout report
uses: ./.github/workflows/image-promotion.yml
if: ${{ inputs.force && inputs.force || false }}
3 changes: 3 additions & 0 deletions .github/workflows/image-promotion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -205,6 +206,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -280,6 +282,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

tag-stable:
Expand Down
Loading