From f6b305fddfbcc2e5f1bfaf3ed1e3256c845c9996 Mon Sep 17 00:00:00 2001
From: Gustavo Valverde <g.valverde02@gmail.com>
Date: Wed, 18 Sep 2024 09:11:19 +0100
Subject: [PATCH 1/2] feat(ci): add Docker Scout vulnerabilities scanning

---
 .github/workflows/sub-build-docker-image.yml | 33 +++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/sub-build-docker-image.yml b/.github/workflows/sub-build-docker-image.yml
index 83af03ad6e1..483448d40b6 100644
--- a/.github/workflows/sub-build-docker-image.yml
+++ b/.github/workflows/sub-build-docker-image.yml
@@ -4,6 +4,7 @@
 # - Uses Docker Buildx for improved build performance and caching.
 # - Builds the Docker image and pushes it to both Google Artifact Registry and potentially DockerHub, depending on release type.
 # - Manages caching strategies to optimize build times across different branches.
+# - Uses Docker Scout to display vulnerabilities and recommendations for the latest built image.
 name: Build docker image
 
 on:
@@ -75,6 +76,7 @@ jobs:
     permissions:
       contents: 'read'
       id-token: 'write'
+      pull-requests: write # for `docker-scout` to be able to write the comment
     env:
       DOCKER_BUILD_SUMMARY: ${{ vars.DOCKER_BUILD_SUMMARY }}
     steps:
@@ -150,7 +152,7 @@ jobs:
       # Setup Docker Buildx to use Docker Build Cloud
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v3.6.1
         with:
           version: "lab:latest"
           driver: cloud
@@ -179,3 +181,32 @@ jobs:
           # Don't read from the cache if the caller disabled it.
           # https://docs.docker.com/engine/reference/commandline/buildx_build/#options
           no-cache: ${{ inputs.no_cache }}
+
+        # For the latest built image, display:
+        # - the vulnerabilities (ignoring the base image, and only displaying vulnerabilities with a critical or high security severity)
+        # - the available recommendations
+        # - compare it to the latest image indexed in Docker Hub (only displaying changed packages and vulnerabilities that already have a fix)
+        #
+        # Record the image to Scout environment based on the event type, for example:
+        # - `prod` for a release event
+        # - `stage` for a push event to the main branch
+        # - `dev` for a pull request event
+      - name: Docker Scout
+        id: docker-scout
+        uses: docker/scout-action@v1.13.0
+        # We only run Docker Scout on the `runtime` target, as the other targets are not meant to be released
+        # and are commonly used for testing, and thus are ephemeral.
+        # TODO: Remove the `contains` check once we have a better way to determine if just new vulnerabilities are present.
+        # See: https://github.com/docker/scout-action/issues/56
+        if: ${{ inputs.dockerfile_target == 'runtime' && contains(github.event.pull_request.title, 'Release v') }}
+        with:
+          command: cves,recommendations,compare
+          image: us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
+          to: zfnd/zebra:latest
+          ignore-base: true
+          ignore-unchanged: true
+          only-fixed: true
+          only-severities: critical,high
+          environment: ${{ (github.event_name == 'release' && !github.event.release.prerelease && 'prod') || (github.event_name == 'push' && github.ref_name == 'main' && 'stage') || (github.event_name == 'pull_request' && 'dev') }}
+          organization: zfnd
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment

From 521c25a6eb7d9abbd1a770019a9188cba4fdfd23 Mon Sep 17 00:00:00 2001
From: Gustavo Valverde <gustavo@iterativo.do>
Date: Tue, 24 Sep 2024 07:33:32 +0100
Subject: [PATCH 2/2] fix(scout): add missing `environment` command

Co-authored-by: Marek <mail@marek.onl>
---
 .github/workflows/sub-build-docker-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sub-build-docker-image.yml b/.github/workflows/sub-build-docker-image.yml
index 483448d40b6..78b34199c1b 100644
--- a/.github/workflows/sub-build-docker-image.yml
+++ b/.github/workflows/sub-build-docker-image.yml
@@ -200,7 +200,7 @@ jobs:
         # See: https://github.com/docker/scout-action/issues/56
         if: ${{ inputs.dockerfile_target == 'runtime' && contains(github.event.pull_request.title, 'Release v') }}
         with:
-          command: cves,recommendations,compare
+          command: cves,recommendations,compare,environment
           image: us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
           to: zfnd/zebra:latest
           ignore-base: true