Merge pull request #50 from voxpupuli/switch_to_grype

feat: switch container scanning to grype
voxpupuli · Sep 6, 2024 · facdebc · facdebc
2 parents 79c0c5e + a401b9c
commit facdebc
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 31 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -51,37 +51,6 @@ jobs:
             RUBYGEM_MODULESYNC=${{ matrix.rubygem_modulesync }}
             RUBYGEM_BUNDLER=${{ matrix.rubygem_bundler }}
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: voxpupulibot
-          password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }}
-
-      - name: Analyze container image for CVEs
-        id: analyze-image-cves
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          image: 'local://ci/voxbox:${{ matrix.rubygem_puppet }}'
-          sarif-file: sarif.output.${{ matrix.rubygem_puppet }}.${{ github.sha }}.json
-          write-comment: false
-
-      - name: Compare container image to latest from Registry
-        id: compare-image
-        uses: docker/scout-action@v1
-        with:
-          command: compare
-          image: 'local://ci/voxbox:${{ matrix.rubygem_puppet }}'
-          to: 'ghcr.io/voxpupuli/voxbox:${{ matrix.puppet_release }}-main'
-          summary: true
-          keep-previous-comments: true
-
-      - name: Upload SARIF result
-        id: upload-sarif
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: sarif.output.${{ matrix.rubygem_puppet }}.${{ github.sha }}.json
-
       - name: Clone voxpupuli/puppet-example repository
         uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
@@ -0,0 +1,68 @@
+---
+name: Security Scanning 🕵️
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v4
+
+      - id: set-matrix
+        run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT
+
+  scan_ci_container:
+    name: 'Scan CI container'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build CI container
+        uses: docker/build-push-action@v6
+        with:
+          tags: 'ci/voxbox:${{ matrix.rubygem_puppet }}'
+          push: false
+          build-args: |
+            BASE_IMAGE=${{ matrix.base_image }}
+            RUBYGEM_PUPPET=${{ matrix.rubygem_puppet }}
+            RUBYGEM_FACTER=${{ matrix.facter_version }}
+            RUBYGEM_VOXPUPULI_TEST=${{ matrix.rubygem_voxpupuli_test }}
+            RUBYGEM_VOXPUPULI_ACCEPTANCE=${{ matrix.rubygem_voxpupuli_acceptance }}
+            RUBYGEM_VOXPUPULI_RELEASE=${{ matrix.rubygem_voxpupuli_release }}
+            RUBYGEM_PUPPET_METADATA=${{ matrix.rubygem_puppet_metadata }}
+            RUBYGEM_OVERCOMMIT=${{ matrix.rubygem_overcommit }}
+            RUBYGEM_MODULESYNC=${{ matrix.rubygem_modulesync }}
+            RUBYGEM_BUNDLER=${{ matrix.rubygem_bundler }}
+
+      - name: Scan image with Anchore Grype
+        uses: anchore/scan-action@v4
+        id: scan
+        with:
+          image: 'ci/voxbox:${{ matrix.rubygem_puppet }}'
+          fail-build: false
+
+      - name: Inspect action SARIF report
+        run: jq . ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}