diff --git a/ci/scripts/docker-scout-notify.sh b/ci/scripts/docker-scout-notify.sh new file mode 100644 index 0000000000000..0dc9c484aabec --- /dev/null +++ b/ci/scripts/docker-scout-notify.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Exits as soon as any line fails. +set -euo pipefail + +buildkite-agent meta-data get SCOUT_REPORT > scout.report +cat >> step.yaml << EOF +steps: + - label: "docker scout slack notification" + command: "echo '--- notify the scout report'" + notify: + - slack: + channels: + - "#notification-buildkite" + message: | + ${report} +EOF + +buildkite-agent pipeline upload step.yaml diff --git a/ci/scripts/docker-scout.sh b/ci/scripts/docker-scout.sh new file mode 100644 index 0000000000000..1e64f58c3ffe9 --- /dev/null +++ b/ci/scripts/docker-scout.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +# Exits as soon as any line fails. +set -euo pipefail + +ghcraddr="ghcr.io/risingwavelabs/risingwave" +arch="$(uname -m)" +image="${ghcraddr}:${BUILDKITE_COMMIT}-${arch}" + +echo "--- ghcr login" +echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin + +echo "--- dockerhub login" +echo "$DOCKER_TOKEN" | docker login -u "risingwavelabs" --password-stdin + +echo "--- pull docker image" +echo "pulling ${image}" +docker pull "${image}" + +echo "--- check vulnerabilities" +mkdir -p scout +function docker-scout { + docker run -it -e DOCKER_SCOUT_HUB_USER=risingwavelabs -e DOCKER_SCOUT_HUB_PASSWORD=$DOCKER_TOKEN -u root -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/scout:/scout docker/scout-cli "$@" +} + +echo "--- scout quickview" +docker-scout quickview ${image} -o /scout/quickview.output +cat scout/quickview.output +read C H M L <<< $(grep 'Target' scout/quickview.output | awk -F'[ │ ]+' '{print $4, $5, $6, $7}' | sed 's/[CHML]//g') +cat >> scout/report.output << EOF +Docker Scout Report: + - Critical: $C + - High: $H + - Medium: $M + - Low: $L +EOF + +buildkite-agent meta-data set "SCOUT_REPORT" "$(cat scout/report.output)" + +echo "--- scout recommendations" +docker-scout recommendations "${image}" + +echo "--- scout cves" +docker-scout cves "${image}" diff --git a/ci/scripts/docker.sh b/ci/scripts/docker.sh index e3080cff326a5..640d7af31dcba 100755 --- a/ci/scripts/docker.sh +++ b/ci/scripts/docker.sh @@ -29,6 +29,11 @@ docker buildx create \ --name container \ --driver=docker-container +PULL_PARAM="" +if [[ "${ALWAYS_PULL:-false}" = "true" ]]; then + PULL_PARAM="--pull" +fi + docker buildx build -f docker/Dockerfile \ --build-arg "GIT_SHA=${BUILDKITE_COMMIT}" \ --build-arg "CARGO_PROFILE=${CARGO_PROFILE}" \ @@ -36,6 +41,7 @@ docker buildx build -f docker/Dockerfile \ --progress plain \ --builder=container \ --load \ + ${PULL_PARAM} \ --cache-to "type=registry,ref=ghcr.io/risingwavelabs/risingwave-build-cache:${arch}" \ --cache-from "type=registry,ref=ghcr.io/risingwavelabs/risingwave-build-cache:${arch}" \ . diff --git a/ci/workflows/docker.yml b/ci/workflows/docker.yml index dce0b68f50850..6fda1ea24138e 100644 --- a/ci/workflows/docker.yml +++ b/ci/workflows/docker.yml @@ -38,6 +38,7 @@ steps: depends_on: - "build-amd64" - "build-aarch64" + key: "multi-arch-image-create-push" plugins: - seek-oss/aws-sm#v2.3.1: env: @@ -81,3 +82,22 @@ steps: agents: queue: "linux-arm64" retry: *auto-retry + + - label: "docker scout" + if: build.env("ENABLE_DOCKER_SCOUT") == "true" + key: docker-scout + command: "ci/scripts/docker-scout.sh" + depends_on: + - "multi-arch-image-create-push" + plugins: + - seek-oss/aws-sm#v2.3.1: + env: + GHCR_USERNAME: ghcr-username + GHCR_TOKEN: ghcr-token + DOCKER_TOKEN: docker-token + retry: *auto-retry + + - label: "generate notification step" + depends_on: + - "docker-scout" + command: ci/scripts/docker-scout-notify.sh