ci: add re-usable workflow for scans from published img and automatic…

… reports This commit adds get-published-images-scan-and-report.yaml, a re-usable workflow that enables repositories to scan images from a public registry (in the case of the Analytics team it defaults to charmedkubeflow) and reports back the security vulnerabilities as Github issues. This workflow is intended to be used on demand (using a workflow dispatch) and on schedule, as it will be used for continuous testing of the published images a rock repository generates. Part of #69
canonical · Oct 9, 2024 · 9fd484b · 9fd484b
1 parent e6d94ca
commit 9fd484b
Show file tree

Hide file tree

Showing 4 changed files with 220 additions and 0 deletions.
diff --git a/.github/workflows/get-published-image-names.yaml b/.github/workflows/get-published-image-names.yaml
@@ -0,0 +1,41 @@
+name: Get oci-images names from Dockerhub
+
+on:
+  workflow_call:
+    outputs:
+      images-names:
+        description: A JSON array of images that Paths in this repository where rockcraft projects are stored
+        value: ${{ jobs.get-images-names.outputs.images-names }}
+
+jobs:
+  get-images-names:
+    name: Get all rockcraft.yaml paths
+    runs-on: ubuntu-22.04
+    outputs:
+      images-names: ${{ steps.get-images.outputs.images-names }}
+    steps:
+      - name: Checkout repository code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install tools
+        run: |
+          sudo snap install yq
+          sudo apt install jq
+
+      - name: Get images names
+        id: get-images
+        run: |
+          set -xeu
+          IMAGES_NAMES=()
+          paths=$(find ./ -name "rockcraft.yaml" | sed 's/\.\///g')
+          for d in $paths
+          do
+            short_hash=$(git log -n 1 --pretty=%h -- ${d})
+            image_name=$(cat ${d} | yq -r '.name')
+            image_version=$(cat ${d} | yq -r '.version')
+            IMAGES_NAMES+=(${image_name}:${image_version}-${short_hash})
+          done
+          IMAGES_ARRAY=$(jq -c -n '$ARGS.positional' --args "${IMAGES_NAMES[@]}")
+          echo "images-names=${IMAGES_ARRAY}" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/get-published-images-scan-and-report.yaml b/.github/workflows/get-published-images-scan-and-report.yaml
@@ -0,0 +1,37 @@
+name: Get ROCKs modified and build-scan-test-publish them
+
+on:
+  workflow_call:
+    secrets:
+      GH_TOKEN:
+        required: true
+    inputs:
+      report-vulnerabilities:
+        description: "Whether to report security vulnerabilities through Github issues."
+        required: false
+        default: false
+        type: boolean
+      severity:
+        description: "Comma separated list of severities of vulnerabilities to scanned for and displayed"
+        required: false
+        type: string
+        default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+
+
+jobs:
+  get-published-images-names:
+    name: Get published images names
+    uses: ./.github/workflows/get-published-image-names.yaml
+
+  scan-report-vulnerability:
+    needs: get-published-images-names
+    strategy:
+      fail-fast: false
+      matrix:
+        image-name: ${{ fromJson(needs.get-published-images-names.outputs.images-names) }}
+    uses: ./.github/workflows/scan-from-dockerhub-report-issue.yaml
+    secrets: inherit
+    with:
+      image-name: ${{ matrix.image-name }}
+      report-vulnerabilities: ${{ inputs.report-vulnerabilities }}
+      severity: ${{ inputs.severity }}
diff --git a/.github/workflows/scan-from-dockerhub-report-issue.yaml b/.github/workflows/scan-from-dockerhub-report-issue.yaml
@@ -0,0 +1,38 @@
+name: Scan from published image and report vulnerabilities
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        description: "The published image name to be scanned."
+        required: true
+        type: string
+      report-vulnerabilities:
+        description: "Whether to report security vulnerabilities through Github issues."
+        required: false
+        default: false
+        type: boolean
+      severity:
+        description: "Comma separated list of severities of vulnerabilities to scanned for and displayed"
+        required: false
+        type: string
+        default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+jobs:
+  scan:
+    # uses: canonical/charmed-kubeflow-workflows/.github/workflows/scan-from-published-image.yaml@KF-6331-add-scan-reusable-workflow
+    uses: ./.github/workflows/scan-from-published-image.yaml
+    secrets: inherit
+    with:
+      image-name: ${{ inputs.image-name }}
+      report-vulnerabilities: ${{ inputs.report-vulnerabilities }}
+      severity: ${{ inputs.severity }}
+
+  # Leaving it here in case we ever want to enable scan and reports on_merge
+  report-vulnerability:
+    needs: scan
+    uses: ./.github/workflows/report-vulnerability-in-gh.yaml
+    secrets: inherit
+    if: ${{ always() && (needs.scan.result == 'failure') }}
+    with:
+      issue-title: 'Vulnerabilities found for'
+      image-name: ${{ needs.scan.outputs.image-name-dashes }}
diff --git a/.github/workflows/scan-from-published-image.yaml b/.github/workflows/scan-from-published-image.yaml
@@ -0,0 +1,104 @@
+name: Scan
+
+on:
+  workflow_call:
+    outputs:
+      image-name-dashes:
+        description: "The image name with format <image-name>-<version>"
+        value: ${{ jobs.scan.outputs.image-name-dashes }}
+    inputs:
+      container-registry:
+        description: "The name of the container registry where images are hosted."
+        required: false
+        type: string
+        default: "charmedkubeflow"
+      image-name:
+        description: "The published image name to be scanned."
+        required: true
+        type: string
+      report-vulnerabilities:
+        description: "Whether to report security vulnerabilities through Github issues."
+        required: false
+        default: false
+        type: boolean
+      severity:
+        description: "Comma separated list of severities of vulnerabilities to scanned for and displayed"
+        required: false
+        type: string
+        default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+jobs:
+  scan:
+    name: Scan of ${{ inputs.image-name }}
+    runs-on: ubuntu-22.04
+    outputs:
+      image-name: ${{ steps.image-name.outputs.image-name }}
+      image-name-dashes: ${{ steps.image-name.outputs.image-name-dashes }}
+    strategy:
+      fail-fast: false
+    steps:
+      # Ideally we'd use self-hosted runners, but this effort is still not stable.
+      # This action will remove unused software (dotnet, haskell, android libs, codeql,
+      # and docker images) from the GH runner, which will liberate around 60 GB of storage
+      # distributed in 40GB for root and around 20 for a mnt point.
+      # We need it to avoid cases where scanning fails due to "no space left on device".
+      - name: Maximise GH runner space
+        uses: easimon/maximize-build-space@v7
+        with:
+          root-reserve-mb: 29696
+          remove-dotnet: 'true'
+          remove-haskell: 'true'
+          remove-android: 'true'
+          remove-codeql: 'true'
+
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Set up inputs for scan
+        id: set-up-inputs
+        run: |
+          echo "exit-code=1" >> "$GITHUB_OUTPUT"
+          if ${{ inputs.report-vulnerabilities == false }}; then
+            echo "exit-code=0" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Generate image name
+        id: image-name
+        run: |
+          IMAGE_NAME=$(echo ${{ inputs.image-name }} | rev | cut -f2- -d"-" | rev)
+          IMAGE_NAME_DASHES=$(echo $IMAGE_NAME | sed 's/\:/-/g')
+          echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
+          echo "image-name-dashes=${IMAGE_NAME_DASHES}" >> "$GITHUB_OUTPUT"
+
+      - name: Scan for vulnerabilities
+        id: scan
+        uses: aquasecurity/[email protected]
+        # Workaround for https://github.com/aquasecurity/trivy-action/issues/389
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          scan-type: 'image'
+          image-ref: '${{ inputs.container-registry }}/${{ inputs.image-name }}'
+          format: 'table'
+          output: 'trivy-report-${{ steps.image-name.outputs.image-name-dashes }}.txt'
+          ignore-unfixed: true
+          timeout: '50m0s'
+          exit-code: ${{ steps.set-up-inputs.outputs.exit-code }}
+          severity: ${{ inputs.severity }}
+          # NOTE: pebble is flagged with a HIGH vuln because of golang.org/x/crypto
+          # CVE-2021-43565, CVE-2022-27191
+          skip-files: '/bin/pebble,/usr/bin/pebble,usr/bin/pebble,bin/pebble'
+
+      - name: Print vulnerabilities report
+        # The report should be printed regardless of the success of the previous step
+        if: success() || failure()
+        run: cat trivy-report-${{ steps.image-name.outputs.image-name-dashes }}.txt
+
+      - name: Upload Trivy reports
+        # The report should be uploaded regardless of the success of the previous steps
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
+        with:
+          compression-level: 0
+          name: trivy-report-${{ steps.image-name.outputs.image-name-dashes }}
+          path: trivy-report-${{ steps.image-name.outputs.image-name-dashes }}.txt