Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: grype scan custom action #353

Open
wants to merge 34 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
f45818c
new task and action
partkyle Dec 5, 2024
11d1a73
make zarf.yaml configurable from the action
partkyle Dec 5, 2024
71ac1f5
include actions
partkyle Dec 5, 2024
41f7e4d
don't quote that value, we want it parsed by bash
partkyle Dec 5, 2024
ba78c5a
try this syntax
partkyle Dec 5, 2024
4084025
ignore any .att or .sig files
partkyle Dec 5, 2024
fa1da89
fix typo
partkyle Dec 5, 2024
402193a
remove quiet
partkyle Dec 5, 2024
f01d1c9
add output of scan
partkyle Dec 5, 2024
ae08aa5
yeah, that would never work
partkyle Dec 5, 2024
470dffa
i don't know what I'm doing
partkyle Dec 5, 2024
ccabe0e
json filename
partkyle Dec 5, 2024
1f87445
move grype install to task
partkyle Dec 6, 2024
dec195a
fix name here
partkyle Dec 6, 2024
f6f44fa
debug
partkyle Dec 6, 2024
5f80014
reformat
partkyle Dec 6, 2024
524d5e1
need to determine arch
partkyle Dec 6, 2024
7357e24
debug
partkyle Dec 6, 2024
836fb1d
debug
partkyle Dec 6, 2024
78ce576
typo
partkyle Dec 6, 2024
034a73a
versions tags include "v", but the url needs it removed
partkyle Dec 6, 2024
11c74ca
debug
partkyle Dec 6, 2024
49a5481
vv
partkyle Dec 6, 2024
6187532
silent
partkyle Dec 6, 2024
392f8ce
remove this setup environment
partkyle Dec 6, 2024
0c7f3d7
Merge remote-tracking branch 'origin/main' into partkyle/grype-scan-a…
partkyle Dec 6, 2024
24609f9
docs
partkyle Dec 6, 2024
9ee40bb
shellcheck
partkyle Dec 6, 2024
63253bc
fix linting in readme
partkyle Dec 6, 2024
59d8ed4
add renovaate
partkyle Dec 6, 2024
e351d6b
Merge branch 'main' into partkyle/grype-scan-action
partkyle Dec 6, 2024
f071fcf
Merge branch 'main' into partkyle/grype-scan-action
partkyle Dec 6, 2024
054bbfb
Merge branch 'main' into partkyle/grype-scan-action
Racer159 Dec 10, 2024
31b1d46
Merge branch 'main' into partkyle/grype-scan-action
partkyle Dec 10, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions .github/workflows/callable-grype-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

name: Grype Scan

on:
# This allows other repositories to call this workflow in a reusable way
workflow_call:
inputs:
zarf_yaml:
type: string
default: zarf.yaml
description: location of zarf.yaml file to scan

# Permissions for the GITHUB_TOKEN used by the workflow.
permissions:
contents: read # Allows reading the content of the repository.

jobs:
run:
runs-on: ubuntu-latest
permissions:
contents: read # Allows reading the repo contents

steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Install UDS CLI
uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0
with:
# renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
version: v0.19.2

- name: run grype scan
id: scan
run: |
OUTPUT_DIR=$(mktemp -d)
uds run grype:scan --no-progress --set OUTPUT_DIR="${OUTPUT_DIR}" --set ZARF_YAML="${{inputs.zarf_yaml}}"
echo "output_dir=${OUTPUT_DIR}" > "$GITHUB_OUTPUT"

- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: grype-scans
path: ${{ steps.scan.outputs.output_dir }}
retention-days: 30
1 change: 1 addition & 0 deletions tasks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ includes:
- setup: ./tasks/setup.yaml
- create: ./tasks/create.yaml
- deploy: ./tasks/deploy.yaml
- grype: ./tasks/grype.yaml
- lint: ./tasks/lint.yaml
- publish: ./tasks/publish.yaml
- pull: ./tasks/pull.yaml
Expand Down
7 changes: 7 additions & 0 deletions tasks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,16 @@ There are multiple task files available in this repository with different object
| **debug-output** | Print debug output from a k8s cluster |
| **clean-gh-runner** | Cleanup unneeded files to free space on a GitHub runner |
| **install-deps** | Install the runner dependencies for testing UDS Packages |
| **install-grype** | Install the grype for vulnerability scanning |
| **save-logs** | Save Pod and Node logs from a cluster and fix permissions |
| **setup-environment** | Setup the runner environment for testing UDS Packages |
| **test-deploy** | Test a deployment of a UDS package/bundle |
| **verify-badge** | Perform verification to assist with UDS badge certification |
| **determine-arch** | Determine the architecture of the current machine |
| **registry-login** | Log in to an OCI registry |

### [grype.yaml](./tasks/grype.yaml)

| Name | Description |
|------|-------------|
| **scan** | Execute grype scan on container images in zarf.yaml |
14 changes: 14 additions & 0 deletions tasks/actions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,20 @@ tasks:
"https://github.com/defenseunicorns/uds-releaser/releases/download/${UDS_RELEASER_VERSION}/uds-releaser_${UDS_RELEASER_VERSION}_$(uname -s)_${{ .variables.ARCH }}" \
&& chmod +x /usr/local/bin/uds-releaser

- name: install-grype
description: Install the grype for vulnerability scanning
actions:
- task: determine-arch
- description: Install Grype
env:
# renovate: datasource=github-tags depName=anchore/grype versioning=semver
- GRYPE_VERSION=v0.85.0
cmd: |
trimmed_version=$(echo "${GRYPE_VERSION}" | sed 's/v//')
curl -sL "https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}/grype_${trimmed_version}_$(uname -s)_${{ .variables.ARCH }}.tar.gz" -o - \
| tar -zOx grype > /usr/local/bin/grype
chmod +x /usr/local/bin/grype

- name: authenticate-registries
description: Log in to the registries for testing and publishing UDS Packages
actions:
Expand Down
29 changes: 29 additions & 0 deletions tasks/grype.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

includes:
- actions: ./actions.yaml

variables:
- name: OUTPUT_DIR
default: scans
- name: ZARF_YAML
default: zarf.yaml

tasks:
- name: scan
description: Execute grype scan on container images in zarf.yaml
actions:
- task: actions:install-grype

- description: Run grype scan against zarf.yaml components.*.images
cmd: |
CONTAINER_IMAGES=$(./uds zarf tools yq -r '[.components.[].images] | flatten | .[]' "${ZARF_YAML}" | grep -ve '.sig' | grep -ve '.att')
for image in $CONTAINER_IMAGES; do
filename=$(echo "${image}" | sed 's%/%_%g' | sed 's%:%-%g')
output_file="${OUTPUT_DIR}/${filename}".json

grype -q "${image}" -o json > "${output_file}"

./uds zarf tools yq "${output_file}"
done
Loading