feat(ci): add docker scout to check vulnerabilities in docker pipeline (

risingwavelabs#19128)
ly9chee · Oct 25, 2024 · d5d0283 · d5d0283
1 parent 70d1d42
commit d5d0283
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 0 deletions.
diff --git a/ci/scripts/docker-scout-notify.sh b/ci/scripts/docker-scout-notify.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Exits as soon as any line fails.
+set -euo pipefail
+
+buildkite-agent meta-data get SCOUT_REPORT > scout.report
+cat >> step.yaml << EOF
+steps:
+  - label: "docker scout slack notification"
+    command: "echo '--- notify the scout report'"
+    notify:
+      - slack:
+          channels:
+            - "#notification-buildkite"
+          message: |
+            ${report}
+EOF
+
+buildkite-agent pipeline upload step.yaml
diff --git a/ci/scripts/docker-scout.sh b/ci/scripts/docker-scout.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Exits as soon as any line fails.
+set -euo pipefail
+
+ghcraddr="ghcr.io/risingwavelabs/risingwave"
+arch="$(uname -m)"
+image="${ghcraddr}:${BUILDKITE_COMMIT}-${arch}"
+
+echo "--- ghcr login"
+echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin
+
+echo "--- dockerhub login"
+echo "$DOCKER_TOKEN" | docker login -u "risingwavelabs" --password-stdin
+
+echo "--- pull docker image"
+echo "pulling ${image}"
+docker pull "${image}"
+
+echo "--- check vulnerabilities"
+mkdir -p scout
+function docker-scout {
+    docker run -it -e DOCKER_SCOUT_HUB_USER=risingwavelabs -e DOCKER_SCOUT_HUB_PASSWORD=$DOCKER_TOKEN -u root -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/scout:/scout docker/scout-cli "$@"
+}
+
+echo "--- scout quickview"
+docker-scout quickview ${image} -o /scout/quickview.output
+cat scout/quickview.output
+read C H M L <<< $(grep 'Target'  scout/quickview.output | awk -F'[ │ ]+' '{print $4, $5, $6, $7}' | sed 's/[CHML]//g')
+cat >> scout/report.output << EOF
+Docker Scout Report:
+            - Critical: $C
+            - High: $H
+            - Medium: $M
+            - Low: $L
+EOF
+
+buildkite-agent meta-data set "SCOUT_REPORT" "$(cat scout/report.output)"
+
+echo "--- scout recommendations"
+docker-scout recommendations "${image}"
+
+echo "--- scout cves"
+docker-scout cves "${image}"
diff --git a/ci/scripts/docker.sh b/ci/scripts/docker.sh
@@ -29,13 +29,19 @@ docker buildx create \
   --name container \
   --driver=docker-container
 
+PULL_PARAM=""
+if [[ "${ALWAYS_PULL:-false}" = "true" ]]; then
+  PULL_PARAM="--pull"
+fi
+
 docker buildx build -f docker/Dockerfile \
   --build-arg "GIT_SHA=${BUILDKITE_COMMIT}" \
   --build-arg "CARGO_PROFILE=${CARGO_PROFILE}" \
   -t "${ghcraddr}:${BUILDKITE_COMMIT}-${arch}" \
   --progress plain \
   --builder=container \
   --load \
+  ${PULL_PARAM} \
   --cache-to "type=registry,ref=ghcr.io/risingwavelabs/risingwave-build-cache:${arch}" \
   --cache-from "type=registry,ref=ghcr.io/risingwavelabs/risingwave-build-cache:${arch}" \
   .

diff --git a/ci/workflows/docker.yml b/ci/workflows/docker.yml
@@ -38,6 +38,7 @@ steps:
     depends_on:
       - "build-amd64"
       - "build-aarch64"
+    key: "multi-arch-image-create-push"
     plugins:
       - seek-oss/aws-sm#v2.3.1:
           env:
@@ -81,3 +82,22 @@ steps:
     agents:
       queue: "linux-arm64"
     retry: *auto-retry
+
+  - label: "docker scout"
+    if: build.env("ENABLE_DOCKER_SCOUT") == "true"
+    key: docker-scout
+    command: "ci/scripts/docker-scout.sh"
+    depends_on:
+      - "multi-arch-image-create-push"
+    plugins:
+      - seek-oss/aws-sm#v2.3.1:
+          env:
+            GHCR_USERNAME: ghcr-username
+            GHCR_TOKEN: ghcr-token
+            DOCKER_TOKEN: docker-token
+    retry: *auto-retry
+
+  - label: "generate notification step"
+    depends_on:
+      - "docker-scout"
+    command: ci/scripts/docker-scout-notify.sh