Skip to content

Run Trivy & DockerScout on main & release branches #5818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Jun 24, 2024
Merged

Run Trivy & DockerScout on main & release branches #5818

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
f1010cd
consolidate image generation matrices
pdabelf5 Jun 21, 2024
b82a7c6
add quotes when echoing json
pdabelf5 Jun 21, 2024
a47fb02
run scout on edge & upload results
pdabelf5 Jun 21, 2024
b9749ff
add gcr login
pdabelf5 Jun 21, 2024
e12ea38
add permmissions
pdabelf5 Jun 21, 2024
19f2b17
add more permissions
pdabelf5 Jun 21, 2024
9f6a67c
remove unused permissions
pdabelf5 Jun 21, 2024
ef25369
add scout for plus & nap
pdabelf5 Jun 21, 2024
d4e7fa8
testing
pdabelf5 Jun 21, 2024
d96b61b
make directory a variable
pdabelf5 Jun 21, 2024
b45a7ad
add branch name to artifact path
pdabelf5 Jun 21, 2024
192dbf2
add overwrite artifact upload name
pdabelf5 Jun 21, 2024
b955374
use nap json file
pdabelf5 Jun 21, 2024
98388fb
correct nap module names
pdabelf5 Jun 21, 2024
9cde27c
correct nap image names
pdabelf5 Jun 21, 2024
1d47a54
remove test config
pdabelf5 Jun 21, 2024
21526e1
Merge branch 'main' into scout-on-main
pdabelf5 Jun 21, 2024
d95b401
Merge branch 'main' into scout-on-main
oseoin Jun 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/build-plus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,6 @@ jobs:
build:
permissions:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS
pull-requests: write # for scout report
runs-on: ubuntu-22.04
Expand Down
272 changes: 272 additions & 0 deletions .github/workflows/image-promotion.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ name: Image Promotion
# - tag edge for main workflows
# - tag release branch name for release branch workflows
# - release edge images & helm charts for edge
# - run Trivy & dockerscout scans for main & release branch images
# & upload results to Github security & Github Artifacts

on:
push:
Expand Down Expand Up @@ -338,3 +340,273 @@ jobs:
image: quay.io/nginx/nginx-ingress:edge-ubi
project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}

scan-docker-oss:
name: Scan Docker OSS
runs-on: ubuntu-22.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"

- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
continue-on-error: true
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: "sarif"
output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
ignore-unfixed: "true"

- name: DockerHub Login for Docker Scount
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true

- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true

- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"

scan-docker-plus:
name: Scan Docker Plus
runs-on: ubuntu-22.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"

- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
continue-on-error: true
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: "sarif"
output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
ignore-unfixed: "true"

- name: DockerHub Login for Docker Scount
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true

- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true

- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"

scan-docker-nap:
name: Scan Docker Plus + NAP WAF/DOS
runs-on: ubuntu-22.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"

- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
continue-on-error: true
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: "sarif"
output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
ignore-unfixed: "true"

- name: DockerHub Login for Docker Scount
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true

- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true

- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"