[DPE-2707] Create trivy scanner (#11)

canonical · Nov 15, 2023 · f8eac83 · f8eac83
1 parent a82b52e
commit f8eac83
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 20 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -7,6 +7,10 @@ concurrency:
 on:
   pull_request:
   workflow_call:
+    outputs:
+      rock:
+        description: "The rock output of build process."
+        value: ${{ jobs.build.outputs.rock }}
 
 jobs:
   lint:
@@ -35,18 +39,17 @@ jobs:
           sudo snap install yq
           sudo snap install rockcraft --classic --edge
       - name: Build ROCK
+        id: build
         run: |
-          app_version=$(yq '.version' rockcraft.yaml)
-          version=$(yq '(.version|split("-"))[0]' rockcraft.yaml)
-          base=$(yq '(.base|split(":"))[1]' rockcraft.yaml)
-          risk=edge
-          tag=${version}-${base}_${risk}
-
-          sed -i "s/${app_version}/${tag}/g" rockcraft.yaml
           rockcraft pack --verbose
 
+          VERSION=$(yq '.version' rockcraft.yaml)
+          echo "rock=charmed-kafka_${VERSION}_amd64.rock" >> $GITHUB_OUTPUT
+
       - name: Upload locally built ROCK artifact
         uses: actions/upload-artifact@v3
         with:
           name: charmed-kafka
-          path: "charmed-kafka_*.rock"
+          path: ${{ steps.build.outputs.rock }}
+    outputs:
+      rock: ${{ steps.build.outputs.rock }}
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -16,12 +16,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      - name: Setup Docker
-        run: |
-          sudo snap install docker
-          sudo addgroup --system docker; sudo adduser $USER docker
-          newgrp docker
-          sudo snap disable docker; sudo snap enable docker
       - name: Install skopeo
         run: |
           sudo snap install --devmode --channel edge skopeo
@@ -39,20 +33,21 @@ jobs:
           password: ${{ secrets.GHCR_TOKEN }}
       - name: Import and push to GHCR
         run: |
-          app_version=$(yq '.version' rockcraft.yaml)
           version=$(yq '(.version|split("-"))[0]' rockcraft.yaml)
-          base=$(yq '(.base|split(":"))[1]' rockcraft.yaml)
+          base=$(yq '(.base|split("@"))[1]' rockcraft.yaml)
           risk=edge
           tag=${version}-${base}_${risk}
           channel=$(echo ${{ github.ref_name }} | cut -d "-" -f 1)
 
+          ROCK_FILE=${{ needs.build.outputs.rock }}
+
           sudo skopeo --insecure-policy copy \
-            oci-archive:charmed-kafka_${tag}_amd64.rock \
+            oci-archive:$ROCK_FILE \
             docker-daemon:ghcr.io/canonical/charmed-kafka:${tag}
 
           docker tag \
             ghcr.io/canonical/charmed-kafka:${tag} \
-            ghcr.io/canonical/charmed-kafka:${channel}-${risk}
+            ghcr.io/canonical/charmed-kafka:${channel}_${risk}
 
           docker push ghcr.io/canonical/charmed-kafka:${tag}
-          docker push ghcr.io/canonical/charmed-kafka:${channel}-${risk}
+          docker push ghcr.io/canonical/charmed-kafka:${channel}_${risk}
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,44 @@
+name: Trivy Security Scanner
+on:
+  push:
+    branches:
+      - 3-22.04
+  pull_request:
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+  scan:
+    name: Trivy scan
+    needs: build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Install skopeo
+        run: |
+          sudo snap install --devmode --channel edge skopeo
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: actions/download-artifact@v3
+        with:
+          name: charmed-kafka
+      - name: Import locally
+        run: |
+          sudo skopeo --insecure-policy copy \
+            oci-archive:${{ needs.build.outputs.rock }} \
+            docker-daemon:trivy/charmed-kafka:test
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'trivy/charmed-kafka:test'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/rockcraft.yaml b/rockcraft.yaml
@@ -2,7 +2,7 @@
 # See LICENSE file for licensing details.
 ---
 name: charmed-kafka  # the name of your ROCK
-base: ubuntu:22.04  # the base environment for this ROCK
+base: ubuntu@22.04  # the base environment for this ROCK
 version: '3.5.1'  # just for humans. Semantic versioning is recommended
 summary: Charmed Kafka ROCK OCI  # 79 char long summary
 description: |