From 6ab3c16fceb890f79cfe5851af16b6874a4a8316 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Fri, 30 Aug 2024 12:41:32 +0200 Subject: [PATCH 1/2] fix: update ci and add grype for testing Signed-off-by: Robert Waffen --- .github/workflows/ci.yaml | 31 --------------- .github/workflows/container_scanning.yml | 50 ++++++++++++++++++++++++ Dockerfile | 2 +- 3 files changed, 51 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/container_scanning.yml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 311807e..917a18f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -42,37 +42,6 @@ jobs: build-args: | BASE_IMAGE=${{ matrix.base_image }} - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: voxpupulibot - password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }} - - - name: Analyze container image for CVEs - id: analyze-image-cves - uses: docker/scout-action@v1 - with: - command: cves - image: 'local://ci/test:${{ matrix.puppet_release }}' - sarif-file: sarif.output.${{ matrix.puppet_release }}.${{ github.sha }}.json - write-comment: false - - - name: Compare container image to latest from Registry - id: compare-image - uses: docker/scout-action@v1 - with: - command: compare - image: 'local://ci/test:${{ matrix.puppet_release }}' - to: 'ghcr.io/voxpupuli/test:${{ matrix.puppet_release }}-main' - summary: true - keep-previous-comments: true - - - name: Upload SARIF result - id: upload-sarif - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: sarif.output.${{ matrix.puppet_release }}.${{ github.sha }}.json - tests: needs: - build_test_container diff --git a/.github/workflows/container_scanning.yml b/.github/workflows/container_scanning.yml new file mode 100644 index 0000000..edc3d2e --- /dev/null +++ b/.github/workflows/container_scanning.yml @@ -0,0 +1,50 @@ +--- +name: Security Scanning 🕵️ + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + setup-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Source checkout + uses: actions/checkout@v4 + + - id: set-matrix + run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT + + build_test_container: + name: 'Build test container' + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + pull-requests: write + needs: setup-matrix + strategy: + matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Build local container + uses: docker/build-push-action@v6 + with: + tags: 'ci/test:${{ matrix.puppet_release }}' + push: false + build-args: | + BASE_IMAGE=${{ matrix.base_image }} + + - name: Scan image with Anchore Grype + uses: anchore/scan-action@v3 + with: + image: 'ci/test:${{ matrix.puppet_release }}' diff --git a/Dockerfile b/Dockerfile index 3b827a8..1728830 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=docker.io/ruby:3.2.5-alpine3.20 +ARG BASE_IMAGE=docker.io/ruby:2.7.8-alpine3.16 FROM $BASE_IMAGE From 1e451025a7813e5f986cdcd075707f8ffcc67df1 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Fri, 30 Aug 2024 12:48:27 +0200 Subject: [PATCH 2/2] fix: do not fail on cve, upload sarif Signed-off-by: Robert Waffen --- .github/workflows/container_scanning.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/container_scanning.yml b/.github/workflows/container_scanning.yml index edc3d2e..6c7976a 100644 --- a/.github/workflows/container_scanning.yml +++ b/.github/workflows/container_scanning.yml @@ -46,5 +46,15 @@ jobs: - name: Scan image with Anchore Grype uses: anchore/scan-action@v3 + id: scan with: image: 'ci/test:${{ matrix.puppet_release }}' + fail-build: false + + - name: Inspect action SARIF report + run: jq . ${{ steps.scan.outputs.sarif }} + + - name: Upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }}