From 9928d96d5778c54564ce67d0ec10b3e801e0cca8 Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Thu, 19 Dec 2024 11:26:13 -0700 Subject: [PATCH 1/4] Update MINIO/MC and make trivy fail on error --- .github/workflows/trivy.yml | 13 +++++++++++++ openc3-cosmos-init/Dockerfile | 2 +- openc3-minio/Dockerfile | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 07da6f783c..f86710f565 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -21,6 +21,8 @@ jobs: openc3-scan: if: ${{ github.actor != 'dependabot[bot]' }} runs-on: ubuntu-latest + strategy: + fail-fast: false steps: - uses: actions/checkout@v4 - name: openc3.sh build @@ -34,6 +36,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-ruby.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -49,6 +52,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-node.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -64,6 +68,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-base.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -79,6 +84,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-init.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -94,6 +100,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-redis.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -109,6 +116,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-minio.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -124,6 +132,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-operator.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -139,6 +148,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-cmd-tlm-api.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -154,6 +164,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-script-runner-api.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -169,6 +180,7 @@ jobs: with: image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}" format: "sarif" + exit-code: 1 output: "trivy-traefik.sarif" ignore-unfixed: true vuln-type: "os,library" @@ -184,6 +196,7 @@ jobs: with: scan-type: "fs" format: "github" + exit-code: 1 output: "dependency-results.sbom.json" image-ref: "." github-pat: ${{ secrets.GITHUB_TOKEN }} diff --git a/openc3-cosmos-init/Dockerfile b/openc3-cosmos-init/Dockerfile index 687c281edd..5dfe4d6110 100644 --- a/openc3-cosmos-init/Dockerfile +++ b/openc3-cosmos-init/Dockerfile @@ -4,7 +4,7 @@ ARG OPENC3_NAMESPACE=openc3inc ARG OPENC3_TAG=latest ARG OPENC3_NODE_IMAGE=openc3-node ARG OPENC3_BASE_IMAGE=openc3-base -ARG OPENC3_MC_RELEASE=RELEASE.2024-04-29T09-56-05Z +ARG OPENC3_MC_RELEASE=RELEASE.2024-11-21T17-21-54Z FROM ${OPENC3_DEPENDENCY_REGISTRY}/minio/mc:${OPENC3_MC_RELEASE} AS minio-mc FROM ${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/${OPENC3_NODE_IMAGE}:${OPENC3_TAG} AS openc3-frontend-tmp diff --git a/openc3-minio/Dockerfile b/openc3-minio/Dockerfile index d7f4f15b1b..95f1e0a59d 100644 --- a/openc3-minio/Dockerfile +++ b/openc3-minio/Dockerfile @@ -1,5 +1,5 @@ ARG OPENC3_DEPENDENCY_REGISTRY=docker.io -ARG OPENC3_MINIO_RELEASE=RELEASE.2024-06-22T05-26-45Z +ARG OPENC3_MINIO_RELEASE=RELEASE.2024-12-18T13-15-44Z FROM ${OPENC3_DEPENDENCY_REGISTRY}/minio/minio:${OPENC3_MINIO_RELEASE} COPY cacert.pem /devel/cacert.pem From b473f67a5d20c900a49b1d81e4b4bb356c5f6f0f Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Thu, 19 Dec 2024 13:56:12 -0700 Subject: [PATCH 2/4] Always run all trivy scans if the build was successful --- .github/workflows/trivy.yml | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f86710f565..fcd02db9d2 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -21,17 +21,17 @@ jobs: openc3-scan: if: ${{ github.actor != 'dependabot[bot]' }} runs-on: ubuntu-latest - strategy: - fail-fast: false steps: - uses: actions/checkout@v4 - name: openc3.sh build + id: build # This `shell` line is required to get around a known issue: https://github.com/actions/runner/issues/241#issuecomment-745902718 shell: 'script -q -e -c "bash {0}"' run: ./openc3.sh build env: OPENC3_TAG: ${{ github.sha }} - name: Run Trivy on image ruby + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}" @@ -43,11 +43,13 @@ jobs: scanners: "vuln" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-ruby" sarif_file: "trivy-ruby.sarif" - name: Run Trivy on image node + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}" @@ -58,12 +60,16 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + # On a subsequent call to the action we know trivy is already installed so can skip this + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-node" sarif_file: "trivy-node.sarif" - name: Run Trivy on image base + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}" @@ -74,12 +80,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-base" sarif_file: "trivy-base.sarif" - name: Run Trivy on image cosmos-init + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}" @@ -90,12 +99,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-init" sarif_file: "trivy-init.sarif" - name: Run Trivy on image redis + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}" @@ -106,12 +118,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-redis" sarif_file: "trivy-redis.sarif" - name: Run Trivy on image minio + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}" @@ -122,12 +137,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-minio" sarif_file: "trivy-minio.sarif" - name: Run Trivy on image operator + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}" @@ -138,12 +156,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-operator" sarif_file: "trivy-operator.sarif" - name: Run Trivy on image cmd-tlm-api + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}" @@ -154,12 +175,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-cmd-tlm-api" sarif_file: "trivy-cmd-tlm-api.sarif" - name: Run Trivy on image script-runner-api + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}" @@ -170,12 +194,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-script-runner-api" sarif_file: "trivy-script-runner-api.sarif" - name: Run Trivy on image traefik + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}" @@ -186,12 +213,15 @@ jobs: vuln-type: "os,library" scanners: "vuln" severity: "CRITICAL,HIGH" + skip-setup-trivy: true - name: Upload Trivy scan results + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-traefik" sarif_file: "trivy-traefik.sarif" - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@master with: scan-type: "fs" From dc56aa7511bf895de8b53c6132dda4b01512ce43 Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Thu, 19 Dec 2024 14:16:05 -0700 Subject: [PATCH 3/4] Add continue-on-error --- .github/workflows/trivy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index fcd02db9d2..1710e76a70 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -21,6 +21,7 @@ jobs: openc3-scan: if: ${{ github.actor != 'dependabot[bot]' }} runs-on: ubuntu-latest + continue-on-error: true steps: - uses: actions/checkout@v4 - name: openc3.sh build From 885beee153c9a9dccffcca43a6cd32a71972c731 Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Thu, 19 Dec 2024 15:23:20 -0700 Subject: [PATCH 4/4] Better if logic --- .github/workflows/trivy.yml | 43 ++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 1710e76a70..87b87f3505 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -21,7 +21,6 @@ jobs: openc3-scan: if: ${{ github.actor != 'dependabot[bot]' }} runs-on: ubuntu-latest - continue-on-error: true steps: - uses: actions/checkout@v4 - name: openc3.sh build @@ -32,7 +31,7 @@ jobs: env: OPENC3_TAG: ${{ github.sha }} - name: Run Trivy on image ruby - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}" @@ -44,13 +43,13 @@ jobs: scanners: "vuln" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-ruby" sarif_file: "trivy-ruby.sarif" - name: Run Trivy on image node - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}" @@ -64,13 +63,13 @@ jobs: # On a subsequent call to the action we know trivy is already installed so can skip this skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-node" sarif_file: "trivy-node.sarif" - name: Run Trivy on image base - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}" @@ -83,13 +82,13 @@ jobs: severity: "CRITICAL,HIGH" skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-base" sarif_file: "trivy-base.sarif" - name: Run Trivy on image cosmos-init - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}" @@ -102,13 +101,13 @@ jobs: severity: "CRITICAL,HIGH" skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-init" sarif_file: "trivy-init.sarif" - name: Run Trivy on image redis - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}" @@ -121,13 +120,13 @@ jobs: severity: "CRITICAL,HIGH" skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-redis" sarif_file: "trivy-redis.sarif" - name: Run Trivy on image minio - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}" @@ -140,13 +139,13 @@ jobs: severity: "CRITICAL,HIGH" skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-minio" sarif_file: "trivy-minio.sarif" - name: Run Trivy on image operator - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}" @@ -159,13 +158,13 @@ jobs: severity: "CRITICAL,HIGH" skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-operator" sarif_file: "trivy-operator.sarif" - name: Run Trivy on image cmd-tlm-api - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}" @@ -178,13 +177,13 @@ jobs: severity: "CRITICAL,HIGH" skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-cmd-tlm-api" sarif_file: "trivy-cmd-tlm-api.sarif" - name: Run Trivy on image script-runner-api - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}" @@ -197,13 +196,13 @@ jobs: severity: "CRITICAL,HIGH" skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-script-runner-api" sarif_file: "trivy-script-runner-api.sarif" - name: Run Trivy on image traefik - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}" @@ -216,13 +215,13 @@ jobs: severity: "CRITICAL,HIGH" skip-setup-trivy: true - name: Upload Trivy scan results - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 with: category: "openc3-traefik" sarif_file: "trivy-traefik.sarif" - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots - if: steps.build.outcome == 'success' + if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: aquasecurity/trivy-action@master with: scan-type: "fs"