Split published and example images vulnerability scanning (#2914)

kanisterio · Jun 21, 2024 · e6e500b · e6e500b
1 parent f5bdd5b
commit e6e500b
Show file tree

Hide file tree

Showing 8 changed files with 137 additions and 96 deletions.
diff --git a/.github/workflows/example-images-scanning.yaml b/.github/workflows/example-images-scanning.yaml
@@ -0,0 +1,17 @@
+name: Example images scanning
+permissions:
+  contents: read
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Build and test"]
+    types:
+      - completed
+    branches:
+      - master
+
+jobs:
+  scan-images:
+    uses: ./.github/workflows/images-vulnerability-scanning.yaml
+    with:
+      images_file: "build/example_images.json"
diff --git a/.github/workflows/grype-vulnerability-scanner.yaml b/.github/workflows/grype-vulnerability-scanner.yaml
diff --git a/.github/workflows/images-vulnerability-scanning.yaml b/.github/workflows/images-vulnerability-scanning.yaml
@@ -0,0 +1,59 @@
+name: Images vulnerability scanning
+permissions:
+  contents: read
+on:
+  workflow_call:
+    inputs:
+      images_file:
+        required: true
+        type: string
+
+jobs:
+  discover-images:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Read JSON file
+        id: images-json
+        ## Select images file and print it to the output var
+        run: |
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "images_json<<$EOF" >> $GITHUB_OUTPUT
+          cat ${{ inputs.images_file }} >> $GITHUB_OUTPUT
+          echo "$EOF" >> $GITHUB_OUTPUT
+      - name: Showing output variable
+        run: echo ${{fromJson(steps.images-json.outputs.images_json)}}
+    outputs:
+      images-json: ${{steps.images-json.outputs.images_json}}
+  report-analysis:
+    runs-on: ubuntu-latest
+    needs:
+      - discover-images
+    strategy:
+      max-parallel: 3
+      fail-fast: false
+      matrix:
+        images: ${{fromJson(needs.discover-images.outputs.images-json).images}}
+    name: ${{ matrix.images }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Printing Image Registry
+        id: image-registry
+        run: echo "image_registry=${{fromJson(needs.discover-images.outputs.images-json).image_registry}}" >>  "$GITHUB_ENV"
+      - name: Printing Image Tag
+        id: image-tag
+        run: echo "image_tag=${{fromJson(needs.discover-images.outputs.images-json).tag}}" >>  "$GITHUB_ENV"
+      - name: Printing Image Path
+        run: echo "image_path=${{env.image_registry}}/${{matrix.images}}:${{env.image_tag}}" >> "$GITHUB_ENV"
+      - name: Running vulnerability scanner
+        uses: anchore/scan-action@v3
+        id: vulnerability-scanning
+        with:
+          image: ${{env.image_path}}
+          fail-build: false
+          output-format: json
+          only-fixed: true
+          severity-cutoff: medium
+      - name: Parsing vulnerability scanner report
+        run: go run pkg/tools/grype_report_parser_tool.go -s "Medium,High,Critical" -p results.json --github
+
diff --git a/.github/workflows/published-images-scanning.yaml b/.github/workflows/published-images-scanning.yaml
@@ -0,0 +1,17 @@
+name: Published images scanning
+permissions:
+  contents: read
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Build and test"]
+    types:
+      - completed
+    branches:
+      - master
+
+jobs:
+  scan-images:
+    uses: ./.github/workflows/images-vulnerability-scanning.yaml
+    with:
+      images_file: "build/published_images.json"
diff --git a/build/example_images.json b/build/example_images.json
@@ -0,0 +1,15 @@
+{
+    "image_registry": "ghcr.io/kanisterio",
+    "images": [
+        "mysql-sidecar",
+        "kafka-adobe-s3-sink-connector",
+        "postgres-kanister-tools",
+        "postgresql",
+        "cassandra",
+        "mongodb",
+        "es-sidecar",
+        "kafka-adobe-s3-source-connector",
+        "mssql-tools"
+    ],
+    "tag": "v9.99.9-dev"
+}
diff --git a/build/published_images.json b/build/published_images.json
@@ -0,0 +1,10 @@
+{
+    "image_registry": "ghcr.io/kanisterio",
+    "images": [
+        "kanister-kubectl-1.18",
+        "controller",
+        "kanister-tools",
+        "repo-server-controller"
+    ],
+    "tag": "v9.99.9-dev"
+}
diff --git a/build/push_images.sh b/build/push_images.sh
@@ -19,19 +19,28 @@ set -o nounset
 
 IMAGE_REGISTRY="ghcr.io/kanisterio"
 
-IMAGES_NAME_PATH="build/valid_images.json"
-
-IMAGES=(`cat ${IMAGES_NAME_PATH} | jq -r .images[]`)
+PUBLISHED_IMAGES_NAME_PATH="build/published_images.json"
+EXAMPLE_IMAGES_NAME_PATH="build/example_images.json"
 
 TAG=${1:-"v9.99.9-dev"}
 
 COMMIT_SHA_TAG=commit-${COMMIT_SHA:?"COMMIT_SHA is required"}
 SHORT_COMMIT_SHA_TAG=short-commit-${COMMIT_SHA::12}
 
-for i in ${IMAGES[@]}; do
-   docker tag $IMAGE_REGISTRY/$i:$TAG $IMAGE_REGISTRY/$i:$COMMIT_SHA_TAG
-   docker tag $IMAGE_REGISTRY/$i:$TAG $IMAGE_REGISTRY/$i:$SHORT_COMMIT_SHA_TAG
-   docker push $IMAGE_REGISTRY/$i:$TAG
-   docker push $IMAGE_REGISTRY/$i:$COMMIT_SHA_TAG
-   docker push $IMAGE_REGISTRY/$i:$SHORT_COMMIT_SHA_TAG
-done
+push_images() {
+   images_file_path=$1
+
+   images=$(jq -r .images[] "${images_file_path}")
+
+   for i in ${images[@]}; do
+      docker tag $IMAGE_REGISTRY/$i:$TAG $IMAGE_REGISTRY/$i:$COMMIT_SHA_TAG
+      docker tag $IMAGE_REGISTRY/$i:$TAG $IMAGE_REGISTRY/$i:$SHORT_COMMIT_SHA_TAG
+      docker push $IMAGE_REGISTRY/$i:$TAG
+      docker push $IMAGE_REGISTRY/$i:$COMMIT_SHA_TAG
+      docker push $IMAGE_REGISTRY/$i:$SHORT_COMMIT_SHA_TAG
+   done
+}
+
+push_images $PUBLISHED_IMAGES_NAME_PATH
+
+push_images $EXAMPLE_IMAGES_NAME_PATH
diff --git a/build/valid_images.json b/build/valid_images.json