Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add docker scout scan to pipelines #5759

Merged
merged 9 commits into from
Jun 19, 2024
Merged

add docker scout scan to pipelines #5759

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
075e711
add docker scout scan to pipelines
pdabelf5 Jun 14, 2024
ef2977a
give docker scout permissions to write summary
pdabelf5 Jun 19, 2024
ee39ff4
Merge branch 'main' into docker-scout
oseoin Jun 19, 2024
c23e849
image updates
oseoin Jun 19, 2024
e41ed7a
add login for docker scout
oseoin Jun 19, 2024
d41f087
remove upload to security tab
oseoin Jun 19, 2024
8c328f9
Merge branch 'main' into docker-scout
oseoin Jun 19, 2024
6b4a2d5
Merge branch 'docker-scout' of github.com:nginxinc/kubernetes-ingress…
oseoin Jun 19, 2024
17461cd
Merge branch 'main' into docker-scout
AlexFenlon Jun 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/build-base-images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ jobs:
name: Build OSS base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -108,6 +111,9 @@ jobs:
name: Build Plus base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -177,6 +183,9 @@ jobs:
name: Build Plus NAP base images
runs-on: ubuntu-22.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix:
Expand Down
37 changes: 30 additions & 7 deletions .github/workflows/build-oss.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to GCR
packages: write # for docker/build-push-action to push to GHCR
pull-requests: write # for scout report
outputs:
version: ${{ steps.meta.outputs.version }}
image_digest: ${{ steps.build-push.outputs.digest }}
steps:
- name: Checkout Repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
Expand Down Expand Up @@ -175,27 +179,46 @@ jobs:
IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}

- name: Make directory for security scan results
run: |
mkdir -p "${{ inputs.image }}-results/"

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
continue-on-error: true
with:
image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
output: "${{ inputs.image }}-results/trivy.sarif"
ignore-unfixed: "true"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Trivy scan results to GitHub Security tab
- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
continue-on-error: true
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ inputs.image }}-results/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Trivy/Scout scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
continue-on-error: true
with:
sarif_file: "trivy-results-${{ inputs.image }}.sarif"
sarif_file: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Scan Results
- name: Upload Scan Results to the cache
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
continue-on-error: true
with:
name: "trivy-results-${{ inputs.image }}.sarif"
path: "trivy-results-${{ inputs.image }}.sarif"
if: always()
name: "${{ inputs.image }}-results"
path: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
38 changes: 29 additions & 9 deletions .github/workflows/build-plus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ jobs:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS
pull-requests: write # for scout report
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository
Expand Down Expand Up @@ -195,8 +196,12 @@ jobs:
${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}

- name: Extract image name for Trivy
id: trivy-tag
- name: Make directory for security scan results
run: |
mkdir -p "${{ inputs.image }}-results/"

- name: Extract image name for Scans
id: scan-tag
run: |
tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
echo "tag=$tag" >> $GITHUB_OUTPUT
Expand All @@ -206,23 +211,38 @@ jobs:
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
continue-on-error: true
with:
image-ref: ${{ steps.trivy-tag.outputs.tag }}
image-ref: ${{ steps.scan-tag.outputs.tag }}
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
output: "${{ inputs.image }}-results/trivy.sarif"
ignore-unfixed: "true"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Trivy scan results to GitHub Security tab
- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
continue-on-error: true
with:
command: cves,recommendations
image: ${{ steps.scan-tag.outputs.tag }}
ignore-base: true
only-fixed: true
sarif-file: "${{ inputs.image }}-results/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Security scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
continue-on-error: true
with:
sarif_file: "trivy-results-${{ inputs.image }}.sarif"
sarif_file: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

- name: Upload Scan Results
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
continue-on-error: true
with:
name: "trivy-results-${{ inputs.image }}.sarif"
path: "trivy-results-${{ inputs.image }}.sarif"
if: always()
name: "${{ inputs.image }}-results"
path: "${{ inputs.image }}-results/"
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
3 changes: 3 additions & 0 deletions .github/workflows/cache-update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -89,6 +90,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -161,4 +163,5 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit
4 changes: 4 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -333,6 +334,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -406,6 +408,7 @@ jobs:
contents: read
security-events: write
id-token: write
pull-requests: write # for scout report
secrets: inherit

helm-tests:
Expand Down Expand Up @@ -774,5 +777,6 @@ jobs:
actions: read
packages: write # for helm to push to GHCR
security-events: write
pull-requests: write # for scout report
uses: ./.github/workflows/image-promotion.yml
if: ${{ inputs.force && inputs.force || false }}
3 changes: 3 additions & 0 deletions .github/workflows/image-promotion.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-plus:
Expand Down Expand Up @@ -205,6 +206,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

build-docker-nap:
Expand Down Expand Up @@ -280,6 +282,7 @@ jobs:
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit

tag-stable:
Expand Down
Loading