Skip to content

Commit

Permalink
feat(cd): Integrate container and cve scanning post publishing (#10275)
Browse files Browse the repository at this point in the history
Backported from #10272 

* (feat/container-scanning): Integrate container and cve scanning post … (#10272)

* (feat/container-scanning): Integrate container and cve scanning post publishing

* build/ENGEN-844 review (#10273)

* chore(gha): cleanup trailing whitespace

* chore(gha): simplify release scan image as ENV

* chore(gha): simplify release scan logic

* fix(gha): release scan IMAGE context

* chore(gha): fix scan manifest output redirection

---------

Co-authored-by: Isa Farnik <isa@konghq.com>

* fix(cd): remove container scan dependency

---------

Co-authored-by: Isa Farnik <isa@konghq.com>
  • Loading branch information
saisatishkarra and curiositycasualty authored Feb 23, 2023
1 parent bcbb12a commit 2e08e60
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 29 deletions.
1 change: 1 addition & 0 deletions .github/matrix-commitly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ smoke-tests:
- label: ubuntu

scan-vulnerabilities:
- label: ubuntu

release-packages:

Expand Down
94 changes: 65 additions & 29 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ jobs:
if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true'
run: |
sudo apt-get update && sudo apt-get install libyaml-dev -y
- name: Install Ubuntu Cross Build Dependencies (arm64)
if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' && endsWith(matrix.label, 'arm64')
run: |
Expand Down Expand Up @@ -323,6 +323,70 @@ jobs:
Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}`
Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
scan:
name: Scan - ${{ matrix.label }}
needs: [metadata, build-images]
runs-on: ubuntu-22.04
if: |-
always()
&& fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != ''
&& needs.build-images.result == 'success'
&& (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'))
strategy:
fail-fast: false
matrix:
include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}"
env:
IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}
steps:
- name: Install regctl
uses: regclient/actions/regctl-installer@main

- name: Login to Docker Hub
if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN }}
uses: docker/login-action@bc135a1993a1d0db3e9debefa0cfcb70443cc94c
with:
username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}

# TODO: Refactor matrix file to support and parse platforms specific to distro
# Workaround: Look for specific amd64 and arm64 hardcooded architectures
- name: Parse Architecture Specific Image Manifest Digests
id: image_manifest_metadata
run: |
manifest_list_exists="$(
if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
echo true
else
echo false
fi
)"
echo "manifest_list_exists=$manifest_list_exists"
echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')"
arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')"
echo "amd64_sha=$amd64_sha"
echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT
echo "arm64_sha=$arm64_sha"
echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT
- name: Scan AMD64 Image digest
id: sbom_action_amd64
if: steps.image_manifest_metadata.outputs.amd64_sha != ''
uses: Kong/public-shared-actions/security-actions/scan-docker-image@b2e4a29d30382e1cceeda8df1e8b8bee65bef39b
with:
asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-amd64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}

- name: Scan ARM64 Image digest
if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
id: sbom_action_arm64
uses: Kong/public-shared-actions/security-actions/scan-docker-image@b2e4a29d30382e1cceeda8df1e8b8bee65bef39b
with:
asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-arm64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}

smoke-tests:
name: Smoke Tests - ${{ matrix.label }}
needs: [metadata, build-images]
Expand Down Expand Up @@ -381,34 +445,6 @@ jobs:
- name: Smoke Tests - Admin API
run: build/tests/01-admin-api.sh

scan-vulnerabilities:
name: Scan Vulnerabilities - ${{ matrix.label }}
needs: [metadata, build-images]
runs-on: ubuntu-22.04
if: |-
fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != ''
&& (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'))
strategy:
# runs all jobs sequentially
max-parallel: 1
fail-fast: false
matrix:
include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}"

steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
env:
TRIVY_USERNAME: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
TRIVY_PASSWORD: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
with:
image-ref: ${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.sha }}-${{ matrix.label }}
severity: 'CRITICAL,HIGH'

release-packages:
name: Release Packages - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }}
needs: [metadata, build-packages, build-images, smoke-tests]
Expand Down

0 comments on commit 2e08e60

Please sign in to comment.