-
-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ci): add image scanning workflow #1161
Merged
Merged
Changes from 34 commits
Commits
Show all changes
37 commits
Select commit
Hold shift + click to select a range
5e88a22
Add scaffolding for image scanning workflow
p5 e1893fb
Add SBOM generation and scanning steps
p5 ab35ae5
Remove unused install-grype step
p5 39fa2d3
Generate unique artifact name
p5 66b1501
Enable some builds to debug build container outputs
p5 0416d3a
Skip long-running build steps
p5 a50ed5a
Enable builds and create workflow output
p5 f0c8e57
Unsure why I enabled the builds...
p5 dfaf874
Tie it all together
p5 9e0f9e2
Fix outputs and enable single nvidia build
p5 e174a29
Try reworking the jq command to output array rather than space-separa…
p5 82ed6b7
Minify JSON
p5 e8a824e
Try dummy array
p5 c84ab17
Fix output ref|
p5 20f78c4
Revert to real outputs
p5 057b156
Share images through job artifacts
p5 78131fe
Fix file names to be included in artifacts
p5 ceed21e
Add a merge before downloadingi artifacts
p5 a3e5c10
Use unique file names
p5 808ce62
Fix upload-artifact target file
p5 be1e73a
Another attempt at targeting correct file
p5 dd71e89
Create job output in correct format
p5 6f88990
Use @ to separate image name and digest
p5 0404a7d
Disable fail-fast and fix 38 digest
p5 fe438fa
Clear storage space before generating SBOM
p5 0edc9ca
Cleanup artifacts, enable verbose syft and exclude ostree files from …
p5 50ab63f
Enable syft debug logging
p5 ca96412
Remove incorrect verbose arg
p5 8457a85
Enable scans for only F38
p5 a9a2307
Enable other builds again
p5 b2ffb3a
Disable syft verbose logging and remove unexpected changes
p5 2af97b2
Remove unexpected changes
p5 cc469f8
Update .github/workflows/reusable-image-scan.yml
p5 30dc0da
Do not run scan on PRs
p5 bf323c3
Move check step to end (to ensure outputs are set)
p5 8f1511c
Enable for all Bluefin builds
p5 a9238b7
Merge branch 'main' into sbom-generation-image-scanning
p5 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Exclude some files Syft will never get anything useful from | ||
exclude: | ||
- '/sysroot/ostree/repo/objects/**' | ||
- '/usr/share/icons/**' | ||
- '/usr/share/doc/**' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
name: Scan Image | ||
on: | ||
workflow_call: | ||
inputs: | ||
images: | ||
description: "A comma-separated list of images to scan. E.G. '[\"docker.io/library/alpine:3.14.0\", \"docker.io/library/alpine:3.13.6\"]'" | ||
required: true | ||
type: string | ||
|
||
jobs: | ||
generate-matrix: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
matrix: ${{ steps.set-matrix.outputs.matrix }} | ||
steps: | ||
- name: Set matrix | ||
id: set-matrix | ||
env: | ||
IMAGES: ${{ inputs.images }} | ||
run: | | ||
echo "matrix=$IMAGES" >> $GITHUB_OUTPUT | ||
|
||
scan-image: | ||
needs: generate-matrix | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
image: ${{fromJson(needs.generate-matrix.outputs.matrix)}} | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Maximize build space | ||
uses: ublue-os/remove-unwanted-software@v6 | ||
|
||
- name: Install Syft | ||
shell: bash | ||
run: | | ||
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | ||
syft version | ||
|
||
- name: Generate SBOM | ||
env: | ||
IMAGE: ${{ matrix.image }} | ||
run: | | ||
syft ${IMAGE} \ | ||
--output cyclonedx-json=sbom.json \ | ||
--config ./.github/syft.yml | ||
|
||
- name: Scan SBOM | ||
id: scan | ||
uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3 | ||
with: | ||
sbom: sbom.json | ||
output-format: json | ||
fail-build: false | ||
|
||
- name: Generate artifact name | ||
id: artifact-name | ||
env: | ||
IMAGE: ${{ matrix.image }} | ||
run: | | ||
echo "name=$(echo ${IMAGE} | awk -F'/' '{print $NF}' | sed 's/:/-/g')" >> $GITHUB_OUTPUT | ||
|
||
- name: Upload scan results | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: security-${{ steps.artifact-name.outputs.name }} | ||
if-no-files-found: error | ||
path: | | ||
sbom.json | ||
${{ steps.scan.outputs.json }} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO we should centralise this configuration in ublue-os/main or somewhere before implementing scanning in other repos. There's nothing bluefin-specific in here, so no need to copy & paste it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can start here as a proof of concept.
We could then move it as it's own repo and have it be a callable action if we genericize it enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I plan to add things like uploading the SERIF files to GitHub, upload SBOMs to R2 etc. But that all comes later. Right now, I just want to build the files and push them to job artifacts in only this repo.
None of this will be specific to ublue and/or bluefin