Run Trivy & DockerScout on main & release branches (#5818)

pdabelf5 · web-flow · commit 5b1978c6a0cb · 2024-06-24T09:55:05.000+01:00
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
@@ -49,7 +49,6 @@ jobs:
   build:
     permissions:
       contents: read # for docker/build-push-action to read repo content
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       id-token: write # for OIDC login to AWS
       pull-requests: write # for scout report
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml
@@ -5,6 +5,8 @@ name: Image Promotion
 # - tag edge for main workflows
 # - tag release branch name for release branch workflows
 # - release edge images & helm charts for edge
+# - run Trivy & dockerscout scans for main & release branch images
+#   & upload results to Github security & Github Artifacts
 
 on:
   push:
@@ -338,3 +340,273 @@ jobs:
           image: quay.io/nginx/nginx-ingress:edge-ubi
           project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
           pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
+
+  scan-docker-oss:
+    name: Scan Docker OSS
+    runs-on: ubuntu-22.04
+    needs: [checks]
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    if: ${{ !cancelled() && !failure() }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Make directory for security scan results
+        id: directory
+        run: |
+          directory=${{ matrix.image }}-${{ matrix.target }}-results
+          echo "directory=${directory}" >> $GITHUB_OUTPUT
+          mkdir -p "${directory}"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          context: workflow
+          images: |
+            name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress
+          flavor: |
+            suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}
+          tags: |
+            type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+        continue-on-error: true
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: "sarif"
+          output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
+          ignore-unfixed: "true"
+
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
+        with:
+          command: cves,recommendations
+          image: ${{ steps.meta.outputs.tags }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
+
+      - name: Upload Scan Results to Github Artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
+          path: "${{ steps.directory.outputs.directory }}/"
+          overwrite: true
+
+      - name: Upload Scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          sarif_file: "${{ steps.directory.outputs.directory }}/"
+
+  scan-docker-plus:
+    name: Scan Docker Plus
+    runs-on: ubuntu-22.04
+    needs: [checks]
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    if: ${{ !cancelled() && !failure() }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Make directory for security scan results
+        id: directory
+        run: |
+          directory=${{ matrix.image }}-${{ matrix.target }}-results
+          echo "directory=${directory}" >> $GITHUB_OUTPUT
+          mkdir -p "${directory}"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          context: workflow
+          images: |
+            name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
+          flavor: |
+            suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
+          tags: |
+            type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+        continue-on-error: true
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: "sarif"
+          output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
+          ignore-unfixed: "true"
+
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
+        with:
+          command: cves,recommendations
+          image: ${{ steps.meta.outputs.tags }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
+
+      - name: Upload Scan Results to Github Artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
+          path: "${{ steps.directory.outputs.directory }}/"
+          overwrite: true
+
+      - name: Upload Scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          sarif_file: "${{ steps.directory.outputs.directory }}/"
+
+  scan-docker-nap:
+    name: Scan Docker Plus + NAP WAF/DOS
+    runs-on: ubuntu-22.04
+    needs: [checks]
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    if: ${{ !cancelled() && !failure() }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Make directory for security scan results
+        id: directory
+        run: |
+          directory=${{ matrix.image }}-${{ matrix.target }}-results
+          echo "directory=${directory}" >> $GITHUB_OUTPUT
+          mkdir -p "${directory}"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          context: workflow
+          images: |
+            name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress
+          flavor: |
+            suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
+          tags: |
+            type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+        continue-on-error: true
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: "sarif"
+          output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
+          ignore-unfixed: "true"
+
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
+        with:
+          command: cves,recommendations
+          image: ${{ steps.meta.outputs.tags }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
+
+      - name: Upload Scan Results to Github Artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
+          path: "${{ steps.directory.outputs.directory }}/"
+          overwrite: true
+
+      - name: Upload Scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          sarif_file: "${{ steps.directory.outputs.directory }}/"
