From 7650f800605719cde377140922963b35f29ffdd5 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Sat, 9 Nov 2024 10:33:17 +0100 Subject: [PATCH 1/7] chore: update dependencies, authenticate docker hub --- .github/workflows/cve-scan.yaml | 48 +++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 11 deletions(-) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 6611006dc79..1d2d211648c 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -1,5 +1,6 @@ name: Docker Image Scanners on: + workflow_dispatch: push: branches: - "master" @@ -9,30 +10,51 @@ on: branches: - "master" +permissions: + contents: read + security-events: write + jobs: scanners: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Env id: vars shell: bash run: | echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" + echo "IMAGE_NAME=oryd/hydra:$(git rev-parse --short HEAD)-sqlite" >> "${GITHUB_ENV}" - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build images shell: bash run: | IMAGE_TAG="${{ env.SHA_SHORT }}" make docker + + # Add GitHub authentication for Trivy + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Configure Trivy + - name: Configure Trivy + run: | + mkdir -p $HOME/.cache/trivy + echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV + echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV + - name: Anchore Scanner - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v5 id: grype-scan with: - image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite + image: ${{ env.IMAGE_NAME }} fail-build: true severity-cutoff: high add-cpes-if-none: true @@ -45,14 +67,14 @@ jobs: echo "::endgroup::" - name: Anchore upload scan SARIF report if: always() - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.grype-scan.outputs.sarif }} - name: Kubescape scanner uses: kubescape/github-action@main id: kubescape with: - image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite + image: ${{ env.IMAGE_NAME }} verbose: true format: pretty-printer # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 @@ -61,18 +83,22 @@ jobs: uses: aquasecurity/trivy-action@master if: ${{ always() }} with: - image-ref: oryd/hydra:${{ env.SHA_SHORT }}-sqlite + image-ref: ${{ env.IMAGE_NAME }} format: "table" exit-code: "42" ignore-unfixed: true vuln-type: "os,library" severity: "CRITICAL,HIGH" - scanners: "vuln,secret,config" + scanners: "vuln,secret,misconfig" + env: + TRIVY_SKIP_JAVA_DB_UPDATE: "true" + TRIVY_DISABLE_VEX_NOTICE: "true" + - name: Dockle Linter - uses: erzz/dockle-action@v1.3.2 + uses: erzz/dockle-action@v1 if: ${{ always() }} with: - image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite + image: ${{ env.IMAGE_NAME }} exit-code: 42 failure-threshold: high - name: Hadolint From dea16790d523594056fa8a2f710c1a5c502d8649 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Sat, 9 Nov 2024 16:12:35 +0100 Subject: [PATCH 2/7] chore: removing the need to adjust the GHA per Opensource Repo --- .github/workflows/cve-scan.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 1d2d211648c..bbd83eeb456 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -25,7 +25,7 @@ jobs: shell: bash run: | echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" - echo "IMAGE_NAME=oryd/hydra:$(git rev-parse --short HEAD)-sqlite" >> "${GITHUB_ENV}" + echo "IMAGE_NAME=oryd/${{ github.event.repository.name }}:$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx @@ -35,7 +35,6 @@ jobs: run: | IMAGE_TAG="${{ env.SHA_SHORT }}" make docker - # Add GitHub authentication for Trivy - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: @@ -43,7 +42,6 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Configure Trivy - name: Configure Trivy run: | mkdir -p $HOME/.cache/trivy From c671fb2d87044418ffeb77d20f0ed6c93adefb21 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Sat, 9 Nov 2024 16:27:10 +0100 Subject: [PATCH 3/7] chore: debug --- .github/workflows/cve-scan.yaml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index bbd83eeb456..821f07ef319 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -24,8 +24,20 @@ jobs: id: vars shell: bash run: | - echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" - echo "IMAGE_NAME=oryd/${{ github.event.repository.name }}:$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" + # Store values in local variables + SHA_SHORT=$(git rev-parse --short HEAD) + REPO_NAME=${{ github.event.repository.name }} + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" + + # Output values for debugging + echo "Values to be set:" + echo "SHA_SHORT: ${SHA_SHORT}" + echo "REPO_NAME: ${REPO_NAME}" + echo "IMAGE_NAME: ${IMAGE_NAME}" + + # Set GitHub Environment variables + echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}" + echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}" - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx From bfe5c90edf90b013641e45bcfd586b08329dd971 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Sat, 9 Nov 2024 16:44:22 +0100 Subject: [PATCH 4/7] chore: add hydra special case for tag name --- .github/workflows/cve-scan.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 821f07ef319..a82c5159fe0 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -27,6 +27,12 @@ jobs: # Store values in local variables SHA_SHORT=$(git rev-parse --short HEAD) REPO_NAME=${{ github.event.repository.name }} + + # Append -sqlite to SHA_SHORT if repo is hydra + if [ "${REPO_NAME}" = "hydra" ]; then + SHA_SHORT="${SHA_SHORT}-sqlite" + fi + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" # Output values for debugging From ccb7f434c2afee1081089764338a6f4bc6b59bad Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Sat, 9 Nov 2024 17:48:18 +0100 Subject: [PATCH 5/7] chore: add hydra special case for tag name --- .github/workflows/cve-scan.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index a82c5159fe0..3b74e2cbf08 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -30,11 +30,13 @@ jobs: # Append -sqlite to SHA_SHORT if repo is hydra if [ "${REPO_NAME}" = "hydra" ]; then - SHA_SHORT="${SHA_SHORT}-sqlite" + echo "Repo is hydra, appending -sqlite to SHA_SHORT" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" + else + echo "Repo is not hydra, using default IMAGE_NAME" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite" fi - IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" - # Output values for debugging echo "Values to be set:" echo "SHA_SHORT: ${SHA_SHORT}" From 53f514526cadddb8257216451b1e2f2a23e810d6 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Sat, 9 Nov 2024 17:54:56 +0100 Subject: [PATCH 6/7] chore: fix --- .github/workflows/cve-scan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 3b74e2cbf08..7c9611d40e4 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -31,10 +31,10 @@ jobs: # Append -sqlite to SHA_SHORT if repo is hydra if [ "${REPO_NAME}" = "hydra" ]; then echo "Repo is hydra, appending -sqlite to SHA_SHORT" - IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite" else echo "Repo is not hydra, using default IMAGE_NAME" - IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite" + IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}" fi # Output values for debugging @@ -45,7 +45,7 @@ jobs: # Set GitHub Environment variables echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}" - echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}" + echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}" - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx From 6440441dae4bb9b74b5d51b28bf34d15b703f176 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Sat, 9 Nov 2024 18:03:39 +0100 Subject: [PATCH 7/7] chore: format --- .github/workflows/cve-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 7c9611d40e4..4d3a4552c22 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -45,7 +45,7 @@ jobs: # Set GitHub Environment variables echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}" - echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}" + echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}" - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx