From e91753dda86adac5f0ad818764e65ff04abb62bf Mon Sep 17 00:00:00 2001 From: John Schaeffer Date: Wed, 12 Apr 2023 14:02:56 +0000 Subject: [PATCH 1/5] Use Trivy more effectively The current image scanning workflow leads to Trivy scans being run twice because the test action is run on both PRs and pushes to main. To rectify this, a new security action has been added in this commit that only runs on PRs to scan both the permissions-api Git repository and Docker image. Additionally, repo scanning has been added to the image-build action and a typo in the image tag to be scanned has been fixed. Signed-off-by: John Schaeffer --- .github/workflows/image-build.yaml | 16 ++++++-- .github/workflows/security.yaml | 65 ++++++++++++++++++++++++++++++ .github/workflows/test.yaml | 9 ----- 3 files changed, 78 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index 34af95dd..772aa408 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -15,6 +15,16 @@ jobs: - name: Checkout uses: actions/checkout@v3 + - name: Scan repo + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + scanners: 'vuln,config,secret' + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + format: 'table' + - name: Registry login uses: docker/login-action@v2 with: @@ -22,7 +32,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker metadata + - name: Get Docker metadata id: metadata uses: docker/metadata-action@v4 with: @@ -40,10 +50,10 @@ jobs: load: true tags: ${{ steps.metadata.outputs.tags }} - - name: Run Trivy vulnerability scanner + - name: Scan image uses: aquasecurity/trivy-action@master with: - image-ref: ghcr.io/infratographer/permissions-api/permissions-api:latest + image-ref: ghcr.io/infratographer/permissions-api:latest scanners: 'vuln,config,secret' ignore-unfixed: true severity: 'HIGH,CRITICAL' diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 00000000..e4255d5b --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,65 @@ +name: Trivy Scan + +on: + pull_request: + workflow_dispatch: + +jobs: + image-scan: + name: image-scan + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Registry login + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker metadata + id: metadata + uses: docker/metadata-action@v4 + with: + images: | + ghcr.io/${{ github.repository }} + tags: | + type=sha + + - name: Build + uses: docker/build-push-action@v4 + with: + context: . + push: false + load: true + tags: ${{ steps.metadata.outputs.tags }} + + - name: Scan image + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.metadata.outputs.tags }} + scanners: 'vuln,config,secret' + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + format: 'table' + + repo-scan: + name: repo-scan + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Scan repo + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + scanners: 'vuln,config,secret' + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + format: 'table' diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 91b64d01..f4524b0a 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -72,12 +72,3 @@ jobs: push: false load: true tags: ${{ steps.metadata.outputs.tags }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ steps.metadata.outputs.tags }} - scanners: 'vuln,config,secret' - ignore-unfixed: true - severity: 'HIGH,CRITICAL' - format: 'table' From e2d6dc62d1040df2bb94f095b52282615067e33f Mon Sep 17 00:00:00 2001 From: John Schaeffer Date: Wed, 12 Apr 2023 14:09:19 +0000 Subject: [PATCH 2/5] Set exit code for Trivy jobs since they seem to run now Signed-off-by: John Schaeffer --- .github/workflows/image-build.yaml | 2 ++ .github/workflows/security.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index 772aa408..3f3879d2 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -24,6 +24,7 @@ jobs: ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'table' + exit-code: '1' - name: Registry login uses: docker/login-action@v2 @@ -58,6 +59,7 @@ jobs: ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'table' + exit-code: '1' - name: Push uses: docker/build-push-action@v4 diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index e4255d5b..60bd135a 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -45,6 +45,7 @@ jobs: ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'table' + exit-code: '1' repo-scan: name: repo-scan @@ -63,3 +64,4 @@ jobs: ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'table' + exit-code: '1' From 4531ac4dd2a01baacadbb880a5fa7b906105f126 Mon Sep 17 00:00:00 2001 From: John Schaeffer Date: Wed, 12 Apr 2023 14:15:42 +0000 Subject: [PATCH 3/5] Fix Trivy findings in dev container Dockerfile Signed-off-by: John Schaeffer --- .devcontainer/Dockerfile | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index ab8e3030..68f254b0 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -7,19 +7,18 @@ ARG NODE_VERSION="none" RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi RUN export DEBIAN_FRONTEND=noninteractive \ - && curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg \ + && curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg \ && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarn-archive-keyring.gpg \ && apt-get install apt-transport-https --yes \ - && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list \ - && apt-get update \ - && apt-get -y install --no-install-recommends \ + && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list \ + && apt-get update && apt-get install --yes --no-install-recommends \ bash-completion \ helm \ uuid-runtime # Install cockroachdb so we have the client RUN curl https://binaries.cockroachdb.com/cockroach-v22.1.8.linux-amd64.tgz | tar -xz \ - && sudo cp -i cockroach-v22.1.8.linux-amd64/cockroach /usr/local/bin/ \ + && cp -i cockroach-v22.1.8.linux-amd64/cockroach /usr/local/bin/ \ && rm -rf cockroach-v* USER vscode From ec57e4e75cd6c675ecd624f309d965deba0cac33 Mon Sep 17 00:00:00 2001 From: John Schaeffer Date: Wed, 12 Apr 2023 14:28:23 +0000 Subject: [PATCH 4/5] Disable config scanner until it gets more better Signed-off-by: John Schaeffer --- .github/workflows/image-build.yaml | 4 ++-- .github/workflows/security.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml index 3f3879d2..5f6666cd 100644 --- a/.github/workflows/image-build.yaml +++ b/.github/workflows/image-build.yaml @@ -20,7 +20,7 @@ jobs: with: scan-type: 'fs' scan-ref: '.' - scanners: 'vuln,config,secret' + scanners: 'vuln,secret' ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'table' @@ -55,7 +55,7 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: ghcr.io/infratographer/permissions-api:latest - scanners: 'vuln,config,secret' + scanners: 'vuln,secret' ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'table' diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 60bd135a..fcf70e04 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -41,7 +41,7 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: ${{ steps.metadata.outputs.tags }} - scanners: 'vuln,config,secret' + scanners: 'vuln,secret' ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'table' @@ -60,7 +60,7 @@ jobs: with: scan-type: 'fs' scan-ref: '.' - scanners: 'vuln,config,secret' + scanners: 'vuln,secret' ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'table' From 187afbac85a8b5325ed0d8d6efb55b0a6c5552ed Mon Sep 17 00:00:00 2001 From: John Schaeffer Date: Wed, 12 Apr 2023 14:29:51 +0000 Subject: [PATCH 5/5] Adjust whitespace in dev container Dockerfile Signed-off-by: John Schaeffer --- .devcontainer/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 68f254b0..3f36220c 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -11,7 +11,8 @@ RUN export DEBIAN_FRONTEND=noninteractive \ && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarn-archive-keyring.gpg \ && apt-get install apt-transport-https --yes \ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list \ - && apt-get update && apt-get install --yes --no-install-recommends \ + && apt-get update \ + && apt-get install --yes --no-install-recommends \ bash-completion \ helm \ uuid-runtime