From e6e500ba44b37de114d39180ce8016b4decf24a4 Mon Sep 17 00:00:00 2001 From: Daniil Fedotov Date: Fri, 21 Jun 2024 13:14:49 -0400 Subject: [PATCH] Split published and example images vulnerability scanning (#2914) --- .../workflows/example-images-scanning.yaml | 17 +++++ .../grype-vulnerability-scanner.yaml | 70 ------------------- .../images-vulnerability-scanning.yaml | 59 ++++++++++++++++ .../workflows/published-images-scanning.yaml | 17 +++++ build/example_images.json | 15 ++++ build/published_images.json | 10 +++ build/push_images.sh | 29 +++++--- build/valid_images.json | 16 ----- 8 files changed, 137 insertions(+), 96 deletions(-) create mode 100644 .github/workflows/example-images-scanning.yaml delete mode 100644 .github/workflows/grype-vulnerability-scanner.yaml create mode 100644 .github/workflows/images-vulnerability-scanning.yaml create mode 100644 .github/workflows/published-images-scanning.yaml create mode 100644 build/example_images.json create mode 100644 build/published_images.json delete mode 100644 build/valid_images.json diff --git a/.github/workflows/example-images-scanning.yaml b/.github/workflows/example-images-scanning.yaml new file mode 100644 index 0000000000..ecc3957b75 --- /dev/null +++ b/.github/workflows/example-images-scanning.yaml @@ -0,0 +1,17 @@ +name: Example images scanning +permissions: + contents: read +on: + workflow_dispatch: + workflow_run: + workflows: ["Build and test"] + types: + - completed + branches: + - master + +jobs: + scan-images: + uses: ./.github/workflows/images-vulnerability-scanning.yaml + with: + images_file: "build/example_images.json" diff --git a/.github/workflows/grype-vulnerability-scanner.yaml b/.github/workflows/grype-vulnerability-scanner.yaml deleted file mode 100644 index 46f7192261..0000000000 --- a/.github/workflows/grype-vulnerability-scanner.yaml +++ /dev/null @@ -1,70 +0,0 @@ -name: container vulnerability scanning -permissions: - contents: read -on: - workflow_dispatch: - workflow_run: - workflows: ["Build and test"] - types: - - completed - branches: - - master - -jobs: - vulnerability-scanner: - runs-on: ubuntu-20.04 - steps: - - name: Create repo directory before checking out latest code - run: mkdir -p repo - - name: Checkout the latest code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: master - path: repo - - name: Read JSON file - id: valid-image-json - run: | - EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) - echo "images_list<<$EOF" >> $GITHUB_OUTPUT - cat repo/build/valid_images.json >> $GITHUB_OUTPUT - echo "$EOF" >> $GITHUB_OUTPUT - - name: Reading output variable - run: echo ${{fromJson(steps.valid-image-json.outputs.images_list)}} - outputs: - valid_images: ${{steps.valid-image-json.outputs.images_list}} - report-analysis: - runs-on: ubuntu-20.04 - needs: - - vulnerability-scanner - strategy: - max-parallel: 3 - fail-fast: false - matrix: - images: ${{fromJson(needs.vulnerability-scanner.outputs.valid_images).images}} - steps: - - name: Printing Image Registry - id: image-registry - run: echo "image_registry=${{fromJson(needs.vulnerability-scanner.outputs.valid_images).image_registry}}" >> "$GITHUB_ENV" - - name: Printing Image Tag - id: image-tag - run: echo "image_tag=${{fromJson(needs.vulnerability-scanner.outputs.valid_images).tag}}" >> "$GITHUB_ENV" - - name: Printing Image Path - run: echo "image_path=${{env.image_registry}}/${{matrix.images}}:${{env.image_tag}}" >> "$GITHUB_ENV" - - name: Running vulnerability scanner - uses: anchore/scan-action@v3 - id: vulnerability-scanning - with: - image: ${{env.image_path}} - fail-build: false - output-format: json - only-fixed: true - - name: Create repo directory before checking out latest code - run: mkdir -p repo - - name: Checkout the latest code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: master - path: repo - - name: Parsing vulnerability scanner report - run: go run repo/pkg/tools/grype_report_parser_tool.go -s "High,Critical" -p results.json --github - diff --git a/.github/workflows/images-vulnerability-scanning.yaml b/.github/workflows/images-vulnerability-scanning.yaml new file mode 100644 index 0000000000..5f5ea50544 --- /dev/null +++ b/.github/workflows/images-vulnerability-scanning.yaml @@ -0,0 +1,59 @@ +name: Images vulnerability scanning +permissions: + contents: read +on: + workflow_call: + inputs: + images_file: + required: true + type: string + +jobs: + discover-images: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Read JSON file + id: images-json + ## Select images file and print it to the output var + run: | + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "images_json<<$EOF" >> $GITHUB_OUTPUT + cat ${{ inputs.images_file }} >> $GITHUB_OUTPUT + echo "$EOF" >> $GITHUB_OUTPUT + - name: Showing output variable + run: echo ${{fromJson(steps.images-json.outputs.images_json)}} + outputs: + images-json: ${{steps.images-json.outputs.images_json}} + report-analysis: + runs-on: ubuntu-latest + needs: + - discover-images + strategy: + max-parallel: 3 + fail-fast: false + matrix: + images: ${{fromJson(needs.discover-images.outputs.images-json).images}} + name: ${{ matrix.images }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Printing Image Registry + id: image-registry + run: echo "image_registry=${{fromJson(needs.discover-images.outputs.images-json).image_registry}}" >> "$GITHUB_ENV" + - name: Printing Image Tag + id: image-tag + run: echo "image_tag=${{fromJson(needs.discover-images.outputs.images-json).tag}}" >> "$GITHUB_ENV" + - name: Printing Image Path + run: echo "image_path=${{env.image_registry}}/${{matrix.images}}:${{env.image_tag}}" >> "$GITHUB_ENV" + - name: Running vulnerability scanner + uses: anchore/scan-action@v3 + id: vulnerability-scanning + with: + image: ${{env.image_path}} + fail-build: false + output-format: json + only-fixed: true + severity-cutoff: medium + - name: Parsing vulnerability scanner report + run: go run pkg/tools/grype_report_parser_tool.go -s "Medium,High,Critical" -p results.json --github + diff --git a/.github/workflows/published-images-scanning.yaml b/.github/workflows/published-images-scanning.yaml new file mode 100644 index 0000000000..1ddd5dd10b --- /dev/null +++ b/.github/workflows/published-images-scanning.yaml @@ -0,0 +1,17 @@ +name: Published images scanning +permissions: + contents: read +on: + workflow_dispatch: + workflow_run: + workflows: ["Build and test"] + types: + - completed + branches: + - master + +jobs: + scan-images: + uses: ./.github/workflows/images-vulnerability-scanning.yaml + with: + images_file: "build/published_images.json" diff --git a/build/example_images.json b/build/example_images.json new file mode 100644 index 0000000000..1402cd0dc9 --- /dev/null +++ b/build/example_images.json @@ -0,0 +1,15 @@ +{ + "image_registry": "ghcr.io/kanisterio", + "images": [ + "mysql-sidecar", + "kafka-adobe-s3-sink-connector", + "postgres-kanister-tools", + "postgresql", + "cassandra", + "mongodb", + "es-sidecar", + "kafka-adobe-s3-source-connector", + "mssql-tools" + ], + "tag": "v9.99.9-dev" +} diff --git a/build/published_images.json b/build/published_images.json new file mode 100644 index 0000000000..b2a7db408b --- /dev/null +++ b/build/published_images.json @@ -0,0 +1,10 @@ +{ + "image_registry": "ghcr.io/kanisterio", + "images": [ + "kanister-kubectl-1.18", + "controller", + "kanister-tools", + "repo-server-controller" + ], + "tag": "v9.99.9-dev" +} diff --git a/build/push_images.sh b/build/push_images.sh index a6ab15dadb..7d7b749e8a 100755 --- a/build/push_images.sh +++ b/build/push_images.sh @@ -19,19 +19,28 @@ set -o nounset IMAGE_REGISTRY="ghcr.io/kanisterio" -IMAGES_NAME_PATH="build/valid_images.json" - -IMAGES=(`cat ${IMAGES_NAME_PATH} | jq -r .images[]`) +PUBLISHED_IMAGES_NAME_PATH="build/published_images.json" +EXAMPLE_IMAGES_NAME_PATH="build/example_images.json" TAG=${1:-"v9.99.9-dev"} COMMIT_SHA_TAG=commit-${COMMIT_SHA:?"COMMIT_SHA is required"} SHORT_COMMIT_SHA_TAG=short-commit-${COMMIT_SHA::12} -for i in ${IMAGES[@]}; do - docker tag $IMAGE_REGISTRY/$i:$TAG $IMAGE_REGISTRY/$i:$COMMIT_SHA_TAG - docker tag $IMAGE_REGISTRY/$i:$TAG $IMAGE_REGISTRY/$i:$SHORT_COMMIT_SHA_TAG - docker push $IMAGE_REGISTRY/$i:$TAG - docker push $IMAGE_REGISTRY/$i:$COMMIT_SHA_TAG - docker push $IMAGE_REGISTRY/$i:$SHORT_COMMIT_SHA_TAG -done +push_images() { + images_file_path=$1 + + images=$(jq -r .images[] "${images_file_path}") + + for i in ${images[@]}; do + docker tag $IMAGE_REGISTRY/$i:$TAG $IMAGE_REGISTRY/$i:$COMMIT_SHA_TAG + docker tag $IMAGE_REGISTRY/$i:$TAG $IMAGE_REGISTRY/$i:$SHORT_COMMIT_SHA_TAG + docker push $IMAGE_REGISTRY/$i:$TAG + docker push $IMAGE_REGISTRY/$i:$COMMIT_SHA_TAG + docker push $IMAGE_REGISTRY/$i:$SHORT_COMMIT_SHA_TAG + done +} + +push_images $PUBLISHED_IMAGES_NAME_PATH + +push_images $EXAMPLE_IMAGES_NAME_PATH diff --git a/build/valid_images.json b/build/valid_images.json deleted file mode 100644 index 5d94c5fb97..0000000000 --- a/build/valid_images.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "image_registry": "ghcr.io/kanisterio", - "images": [ "mysql-sidecar", - "kafka-adobe-s3-sink-connector", - "postgres-kanister-tools", - "postgresql", - "cassandra", - "kanister-kubectl-1.18", - "mongodb", - "es-sidecar", - "controller", - "kanister-tools", - "kafka-adobe-s3-source-connector", - "mssql-tools"], - "tag": "v9.99.9-dev" -}