feat: embed docker scanning into argus builder action

.github/actions/argus-builder/docker-build/action.yml

@@ -36,6 +36,10 @@ inputs:
     description: "Whether to clean the repository before checking out"
     required: false
     default: false
+  fail_on_vulnerabilities:
+    description: 'whether to fail the action if vulnerabilities are found'
+    required: false
+    default: "true"
 
 outputs:
   image_uri:
@@ -86,13 +90,14 @@ runs:
           core.setOutput('ECR_REPO_NAME', ECR_REPO_NAME);
           core.setOutput('IMAGE_URI', IMAGE_URI);
     - name: Create ECR repo if necessary
+      id: create_ecr_repo
       uses: int128/create-ecr-repository-action@v1
       with:
         repository: ${{ steps.ecr_metadata.outputs.ECR_REPO_NAME }}
         lifecycle-policy: core-platform-settings/ecr/lifecycle-policy.json
         repository-policy: core-platform-settings/ecr/repository-policy.json
     - name: Build And Push
-      uses: chanzuckerberg/github-actions/.github/actions/docker-build-push@74d720a183006c0fe0a82f52475befed7d992888
+      uses: chanzuckerberg/github-actions/.github/actions/docker-build-push@CCIE-3099-embed-docker-scanning-into-argus-builder-gh-actions-2
       with:
         dockerfile: ${{ github.event.repository.name }}/${{ inputs.dockerfile }}
         context: ${{ github.event.repository.name }}/${{ inputs.context }}
@@ -104,11 +109,42 @@ runs:
           IMAGE_TAG=${{ inputs.image_tag }}
           ${{ inputs.build_args }}
         secret-files: ${{ inputs.secret_files }}
+        load: true
+
+    - name: Scan for vulnerabilities
+      uses: chanzuckerberg/github-actions/.github/actions/container-scanning@CCIE-3099-embed-docker-scanning-into-argus-builder-gh-actions-2
+      id: scan
+      with:
+        image_uri: ${{ steps.create_ecr_repo.outputs.repository-uri }}:${{ inputs.image_tag }}
+        fail_on_vulnerabilities: ${{ inputs.fail_on_vulnerabilities }}
 
-    # TODO: scan image for vulnerabilities
-    # - name: Scan for vulnerabilities
-    #   uses: chanzuckerberg/github-actions/.github/actions/argus-builder/scan-for-vulnerabilities@main
-    #   with:
-    #     image_uri: ${{ steps.ecr_metadata.outputs.ECR_REGISTRY }}/${{ steps.ecr_metadata.outputs.ECR_REPO_NAME }}:${{ inputs.image_tag }}
-    #     github_app_id: ${{ inputs.github_app_id }}
-    #     github_private_key: ${{ inputs.github_private_key }}
+    - name: Notify on skipped vulnerabilities
+      uses: actions/github-script@v7
+      if: inputs.fail_on_vulnerabilities != 'true' && steps.scan.outputs.vulnerability_threshold_exceeded == 1
+      with:
+        script: |
+          let issueNumber;
+          if (context.issue.number) {
+            // use issue number from context if present
+            issueNumber = context.issue.number;
+          } else {
+            // Otherwise use issue number from commit
+            issueNumber = (
+              await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                commit_sha: context.sha,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+              })
+            ).data[0].number;
+          }
+          const body = `
+          :rotating_light: **Vulnerabilities found in image**: ${{ steps.ecr_metadata.outputs.IMAGE_URI }} :rotating_light:
+          Please review the vulnerabilities found in the image and take appropriate action:
+          ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          `;
+          await github.rest.issues.createComment({
+            issue_number: issueNumber,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body,
+          });

.github/actions/container-scanning/action.yml

@@ -28,6 +28,13 @@ inputs:
     description: 'whether to fail the action if vulnerabilities are found'
     required: false
     default: "true"
+outputs:
+  vulnerability_threshold_exceeded:
+    description: '1 if the vulnerability threshold was exceeded, 0 otherwise'
+    value: ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
+  inspector_scan_results_markdown:
+    description: 'path to the markdown file containing the Inspector scan results'
+    value: ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
 runs:
   using: "composite"
   steps:
@@ -38,7 +45,7 @@ runs:
         role-duration-seconds: 1800
         role-session-name: github-actions-inspector
     - name: Scan built image with Inspector
-      uses: aws-actions/[email protected].0
+      uses: aws-actions/[email protected].2
       id: inspector
       with:
         artifact_type: 'container'
@@ -55,4 +62,4 @@ runs:
     - name: Fail job if vulnerability threshold is exceeded
       if: contains(inputs.fail_on_vulnerabilities, 'true')
       shell: bash
-      run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
+      run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}

.github/actions/docker-build-push/action.yml

@@ -29,6 +29,10 @@ inputs:
   platforms:
     description: "A list of target platforms for build (comma delimited)"
     required: false
+  load:
+    description: "Load the image into the Docker daemon"
+    required: false
+    default: 'false'
 outputs:
   tags:
     description: "The tags we built and pushed"
@@ -90,6 +94,7 @@ runs:
         file: ${{ inputs.dockerfile }}
         context: ${{ inputs.context }}
         push: true
+        load: ${{ inputs.load }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         cache-from: ${{ steps.cache-from.outputs.cacheFrom }}

.github/workflows/argus-docker-build.yaml

@@ -44,6 +44,11 @@
         required: false
         type: boolean
         default: false
+      fail_on_vulnerabilities:
+        description: 'whether to fail the action if vulnerabilities are found'
+        required: false
+        type: boolean
+        default: true
 
 jobs:
   prep:
@@ -191,14 +196,14 @@
   build-docker:
     name: Build Docker Image
     needs: [prep]
-    runs-on: 
-      - self-hosted
-      - Linux
-      - ${{ matrix.image.platform == 'linux/amd64' && 'X64' || 'ARM64' }}
+    runs-on:
+      - ${{ matrix.image.platform == 'linux/amd64' && 'X64' || 'ARM64-dev' }}
     if: needs.prep.outputs.should_build == 'true' && needs.prep.outputs.images != '[]'
     permissions:
       id-token: write
       contents: read
+      pull-requests: write
+      issues: write
     strategy:
       fail-fast: false
       matrix:
@@ -211,7 +216,7 @@
         with:
           script: |
             core.info(`Image to build: ${{ toJson(matrix.image) }}`);
-      - uses: chanzuckerberg/github-actions/.github/actions/argus-builder/docker-build@v3.4.1
+      - uses: chanzuckerberg/github-actions/.github/actions/argus-builder/docker-build@CCIE-3099-embed-docker-scanning-into-argus-builder-gh-actions-2
         if: matrix.image.should_build == true
         with:
           image_name: ${{ matrix.image.name }}
@@ -223,6 +228,7 @@
           image_tag: ${{ needs.prep.outputs.image_tag }}
           github_app_id: ${{ secrets.GH_ACTIONS_HELPER_APP_ID }}
           github_private_key: ${{ secrets.GH_ACTIONS_HELPER_PK }}
+          fail_on_vulnerabilities: ${{ inputs.fail_on_vulnerabilities }}
 
   update-manifests:
     name: Update ArgoCD manifests