Use Trivy more effectively (#68)

* Use Trivy more effectively

The current image scanning workflow leads to Trivy scans being run
twice because the test action is run on both PRs and pushes to
main. To rectify this, a new security action has been added in this
commit that only runs on PRs to scan both the permissions-api Git
repository and Docker image. Additionally, repo scanning has been
added to the image-build action and a typo in the image tag to be
scanned has been fixed.

Signed-off-by: John Schaeffer <[email protected]>

* Set exit code for Trivy jobs since they seem to run now

Signed-off-by: John Schaeffer <[email protected]>

* Fix Trivy findings in dev container Dockerfile

Signed-off-by: John Schaeffer <[email protected]>

* Disable config scanner until it gets more better

Signed-off-by: John Schaeffer <[email protected]>

* Adjust whitespace in dev container Dockerfile

Signed-off-by: John Schaeffer <[email protected]>

---------

Signed-off-by: John Schaeffer <[email protected]>

.devcontainer/Dockerfile

@@ -7,19 +7,19 @@ ARG NODE_VERSION="none"
 RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi
 
 RUN export DEBIAN_FRONTEND=noninteractive \
-    && curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg \
+    && curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg \
     &&  curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarn-archive-keyring.gpg \
     && apt-get install apt-transport-https --yes \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list \
     && apt-get update \
-    && apt-get -y install --no-install-recommends \
+    && apt-get install --yes --no-install-recommends \
         bash-completion \
         helm \
         uuid-runtime
 
 # Install cockroachdb so we have the client
 RUN curl https://binaries.cockroachdb.com/cockroach-v22.1.8.linux-amd64.tgz | tar -xz \
-    && sudo cp -i cockroach-v22.1.8.linux-amd64/cockroach /usr/local/bin/ \
+    && cp -i cockroach-v22.1.8.linux-amd64/cockroach /usr/local/bin/ \
     && rm -rf cockroach-v*
 
 USER vscode

.github/workflows/image-build.yaml

@@ -15,14 +15,25 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
+      - name: Scan repo
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          format: 'table'
+          exit-code: '1'
+
       - name: Registry login
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Docker metadata
+      - name: Get Docker metadata
         id: metadata
         uses: docker/metadata-action@v4
         with:
@@ -40,14 +51,15 @@ jobs:
           load: true
           tags: ${{ steps.metadata.outputs.tags }}
 
-      - name: Run Trivy vulnerability scanner
+      - name: Scan image
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ghcr.io/infratographer/permissions-api/permissions-api:latest
-          scanners: 'vuln,config,secret'
+          image-ref: ghcr.io/infratographer/permissions-api:latest
+          scanners: 'vuln,secret'
           ignore-unfixed: true
           severity: 'HIGH,CRITICAL'
           format: 'table'
+          exit-code: '1'
 
       - name: Push
         uses: docker/build-push-action@v4

.github/workflows/security.yaml

@@ -0,0 +1,67 @@
+name: Trivy Scan
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  image-scan:
+    name: image-scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Registry login
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: metadata
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=sha
+
+      - name: Build
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: false
+          load: true
+          tags: ${{ steps.metadata.outputs.tags }}
+
+      - name: Scan image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.metadata.outputs.tags }}
+          scanners: 'vuln,secret'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          format: 'table'
+          exit-code: '1'
+
+  repo-scan:
+    name: repo-scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Scan repo
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          format: 'table'
+          exit-code: '1'

.github/workflows/test.yaml

@@ -72,12 +72,3 @@ jobs:
           push: false
           load: true
           tags: ${{ steps.metadata.outputs.tags }}
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ steps.metadata.outputs.tags }}
-          scanners: 'vuln,config,secret'
-          ignore-unfixed: true
-          severity: 'HIGH,CRITICAL'
-          format: 'table'