From d5d0283650fafef0eb2592c273a1d0a95a04f35c Mon Sep 17 00:00:00 2001
From: Chengyou Liu <35356271+cyliu0@users.noreply.github.com>
Date: Fri, 25 Oct 2024 17:40:18 +0800
Subject: [PATCH] feat(ci): add docker scout to check vulnerabilities in docker
 pipeline (#19128)

---
 ci/scripts/docker-scout-notify.sh | 19 +++++++++++++
 ci/scripts/docker-scout.sh        | 44 +++++++++++++++++++++++++++++++
 ci/scripts/docker.sh              |  6 +++++
 ci/workflows/docker.yml           | 20 ++++++++++++++
 4 files changed, 89 insertions(+)
 create mode 100644 ci/scripts/docker-scout-notify.sh
 create mode 100644 ci/scripts/docker-scout.sh

diff --git a/ci/scripts/docker-scout-notify.sh b/ci/scripts/docker-scout-notify.sh
new file mode 100644
index 000000000000..0dc9c484aabe
--- /dev/null
+++ b/ci/scripts/docker-scout-notify.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Exits as soon as any line fails.
+set -euo pipefail
+
+buildkite-agent meta-data get SCOUT_REPORT > scout.report
+cat >> step.yaml << EOF
+steps:
+  - label: "docker scout slack notification"
+    command: "echo '--- notify the scout report'"
+    notify:
+      - slack:
+          channels:
+            - "#notification-buildkite"
+          message: |
+            ${report}
+EOF
+
+buildkite-agent pipeline upload step.yaml
diff --git a/ci/scripts/docker-scout.sh b/ci/scripts/docker-scout.sh
new file mode 100644
index 000000000000..1e64f58c3ffe
--- /dev/null
+++ b/ci/scripts/docker-scout.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Exits as soon as any line fails.
+set -euo pipefail
+
+ghcraddr="ghcr.io/risingwavelabs/risingwave"
+arch="$(uname -m)"
+image="${ghcraddr}:${BUILDKITE_COMMIT}-${arch}"
+
+echo "--- ghcr login"
+echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin
+
+echo "--- dockerhub login"
+echo "$DOCKER_TOKEN" | docker login -u "risingwavelabs" --password-stdin
+
+echo "--- pull docker image"
+echo "pulling ${image}"
+docker pull "${image}"
+
+echo "--- check vulnerabilities"
+mkdir -p scout
+function docker-scout {
+    docker run -it -e DOCKER_SCOUT_HUB_USER=risingwavelabs -e DOCKER_SCOUT_HUB_PASSWORD=$DOCKER_TOKEN -u root -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/scout:/scout docker/scout-cli "$@"
+}
+
+echo "--- scout quickview"
+docker-scout quickview ${image} -o /scout/quickview.output
+cat scout/quickview.output
+read C H M L <<< $(grep 'Target'  scout/quickview.output | awk -F'[ │ ]+' '{print $4, $5, $6, $7}' | sed 's/[CHML]//g')
+cat >> scout/report.output << EOF
+Docker Scout Report:
+            - Critical: $C
+            - High: $H
+            - Medium: $M
+            - Low: $L
+EOF
+
+buildkite-agent meta-data set "SCOUT_REPORT" "$(cat scout/report.output)"
+
+echo "--- scout recommendations"
+docker-scout recommendations "${image}"
+
+echo "--- scout cves"
+docker-scout cves "${image}"
diff --git a/ci/scripts/docker.sh b/ci/scripts/docker.sh
index e3080cff326a..640d7af31dcb 100755
--- a/ci/scripts/docker.sh
+++ b/ci/scripts/docker.sh
@@ -29,6 +29,11 @@ docker buildx create \
   --name container \
   --driver=docker-container
 
+PULL_PARAM=""
+if [[ "${ALWAYS_PULL:-false}" = "true" ]]; then
+  PULL_PARAM="--pull"
+fi
+
 docker buildx build -f docker/Dockerfile \
   --build-arg "GIT_SHA=${BUILDKITE_COMMIT}" \
   --build-arg "CARGO_PROFILE=${CARGO_PROFILE}" \
@@ -36,6 +41,7 @@ docker buildx build -f docker/Dockerfile \
   --progress plain \
   --builder=container \
   --load \
+  ${PULL_PARAM} \
   --cache-to "type=registry,ref=ghcr.io/risingwavelabs/risingwave-build-cache:${arch}" \
   --cache-from "type=registry,ref=ghcr.io/risingwavelabs/risingwave-build-cache:${arch}" \
   .
diff --git a/ci/workflows/docker.yml b/ci/workflows/docker.yml
index dce0b68f5085..6fda1ea24138 100644
--- a/ci/workflows/docker.yml
+++ b/ci/workflows/docker.yml
@@ -38,6 +38,7 @@ steps:
     depends_on:
       - "build-amd64"
       - "build-aarch64"
+    key: "multi-arch-image-create-push"
     plugins:
       - seek-oss/aws-sm#v2.3.1:
           env:
@@ -81,3 +82,22 @@ steps:
     agents:
       queue: "linux-arm64"
     retry: *auto-retry
+
+  - label: "docker scout"
+    if: build.env("ENABLE_DOCKER_SCOUT") == "true"
+    key: docker-scout
+    command: "ci/scripts/docker-scout.sh"
+    depends_on:
+      - "multi-arch-image-create-push"
+    plugins:
+      - seek-oss/aws-sm#v2.3.1:
+          env:
+            GHCR_USERNAME: ghcr-username
+            GHCR_TOKEN: ghcr-token
+            DOCKER_TOKEN: docker-token
+    retry: *auto-retry
+
+  - label: "generate notification step"
+    depends_on:
+      - "docker-scout"
+    command: ci/scripts/docker-scout-notify.sh