Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CI] Add images check with Trivy #34

Merged
merged 6 commits into from
Sep 2, 2024
Merged

[CI] Add images check with Trivy #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
102de46
[CI] Add images check with Trivy
duckhawk Aug 31, 2024
e50e469
Fix
duckhawk Sep 2, 2024
9b75b7a
Fix
duckhawk Sep 2, 2024
d95845f
Fix
duckhawk Sep 2, 2024
1f9d711
Fix
duckhawk Sep 2, 2024
b2aa82a
Fix
duckhawk Sep 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 30 additions & 5 deletions .github/workflows/trivy_check.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,34 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v2

- name: Check and Install Latest Trivy
run: |
mkdir -p $HOME/bin

LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
CLEAN_VERSION=${LATEST_VERSION#v}

INSTALL_TRIVY=true

if [[ -f "$HOME/bin/trivy" ]]; then
INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
INSTALL_TRIVY=false
else
echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
fi
else
echo "Trivy is not installed. Installing version $CLEAN_VERSION."
fi

if [ "$INSTALL_TRIVY" = true ]; then
wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
tar zxvf trivy.tar.gz -C $HOME/bin
fi

echo "$HOME/bin" >> $GITHUB_PATH

- name: Prepare sub repo
run: |
version=v`grep "version :=" images/csi-nfs/werf.inc.yaml | awk -F'"' '{ print $2}'`
Expand All @@ -25,8 +53,5 @@ jobs:
cd ..

- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml
run: |
trivy fs . --quiet --config trivy.yaml
79 changes: 79 additions & 0 deletions .github/workflows/trivy_image_check.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: Trivy images check

env:
MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
PR_NUMBER: ${{ github.event.pull_request.number }}
MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }}
MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

on:
pull_request:

jobs:
test:
name: Trivy images check
runs-on: [self-hosted, regular]

steps:
- uses: actions/checkout@v4
- uses: deckhouse/modules-actions/setup@v1

- name: Check and Install Latest Trivy
run: |
mkdir -p $HOME/bin

LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
CLEAN_VERSION=${LATEST_VERSION#v}

INSTALL_TRIVY=true

if [[ -f "$HOME/bin/trivy" ]]; then
INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
INSTALL_TRIVY=false
else
echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
fi
else
echo "Trivy is not installed. Installing version $CLEAN_VERSION."
fi

if [ "$INSTALL_TRIVY" = true ]; then
wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
tar zxvf trivy.tar.gz -C $HOME/bin
fi

echo "$HOME/bin" >> $GITHUB_PATH

- name: Run Trivy vulnerability scanner in image mode
run: |
exit_code=0
image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME
image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER

crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]')

while read -r item; do
key=$(echo "$item" | jq -r '.key')
value=$(echo "$item" | jq -r '.value')

echo 'Checking image '$key' '$value

trivy image --quiet --config trivy-silent.yaml --format table $image_name@$value

result=$(trivy image --quiet --config trivy-silent.yaml --format json $image_name@$value)

vulnerabilities=$(echo "$result" | jq '[.Results[]? | select(has("Vulnerabilities")) | .Vulnerabilities | length] | add // 0')

if [ "$vulnerabilities" -gt 0 ]; then
echo "There are vulnerabilities in image"
exit_code=1
else
echo "There are no vulnerabilities in image"
fi
done <<< "$crane_output"

exit $exit_code
2 changes: 1 addition & 1 deletion .golangci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ linters:
- gci
- gocritic
- gofmt
- goimports
# - goimports
- gosimple
- govet
- ineffassign
Expand Down
2 changes: 1 addition & 1 deletion .werf/images-digests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

{{- range $ImageManifest := regexSplit "\n?---[ \t]*\n" $Images -1 }}
{{- $ImageManifest := $ImageManifest | fromYaml }}
{{- if $ImageManifest.image }}
{{- if and $ImageManifest.image (ne ($ImageManifest.final | toJson) "false") }}
{{- $ImagesIDList = append $ImagesIDList $ImageManifest.image }}
{{- end }}
{{- end }}
Expand Down
4 changes: 2 additions & 2 deletions images/controller/werf.inc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{{- $_ := set . "BASE_GOLANG_22_ALPINE" "registry.deckhouse.io/base_images/golang:1.22.3-alpine@sha256:dbf216b880b802c22e3f4f2ef0a78396b4a9a6983cb9b767c5efc351ebf946b0" }}
{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.6-bullseye@sha256:260918a3795372a6d33225d361fe5349723be9667de865a23411b50fbcc76c5a" }}
{{- $_ := set . "BASE_SCRATCH" "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}

---
image: {{ $.ImageName }}-golang-artifact
from: {{ $.BASE_GOLANG_22_ALPINE }}
from: {{ $.BASE_GOLANG }}
final: false

git:
Expand Down
7 changes: 3 additions & 4 deletions images/csi-nfs/werf.inc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{{- $version := "4.7.0" }}

{{- $_ := set . "BASE_GOLANG_22_ALPINE" "registry.deckhouse.io/base_images/golang:1.22.3-alpine@sha256:dbf216b880b802c22e3f4f2ef0a78396b4a9a6983cb9b767c5efc351ebf946b0" }}
{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.6-bullseye@sha256:260918a3795372a6d33225d361fe5349723be9667de865a23411b50fbcc76c5a" }}
{{- $_ := set . "BASE_SCRATCH" "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}
{{- $_ := set . "BASE_ALPINE_DEV" "registry.deckhouse.io/base_images/dev-alpine:3.16.3@sha256:c706fa83cc129079e430480369a3f062b8178cac9ec89266ebab753a574aca8e" }}
{{- $_ := set . "BASE_ALT_DEV" "registry.deckhouse.io/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}

---
image: {{ $.ImageName }}-golang-artifact
from: {{ $.BASE_GOLANG_22_ALPINE }}
from: {{ $.BASE_GOLANG }}
final: false

git:
Expand All @@ -23,15 +23,14 @@ mount:
- fromPath: ~/go-pkg-cache
to: /go/pkg
shell:
beforeInstall:
- apk add --no-cache ca-certificates make git
install:
- export GO_VERSION={{ env "GOLANG_VERSION" }}
- export GOPROXY={{ env "GOPROXY" }}
- git clone --depth 1 --branch v{{ $version }} {{ env "SOURCE_REPO" }}/kubernetes-csi/csi-driver-nfs.git /csi-driver-nfs
- cd /csi-driver-nfs
- for patchfile in /patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
- cd /csi-driver-nfs/cmd/nfsplugin
- go mod vendor
- GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /nfsplugin
- chmod +x /nfsplugin

Expand Down
4 changes: 2 additions & 2 deletions images/webhooks/werf.inc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{{- $_ := set . "BASE_GOLANG_22_ALPINE" "registry.deckhouse.io/base_images/golang:1.22.3-alpine@sha256:dbf216b880b802c22e3f4f2ef0a78396b4a9a6983cb9b767c5efc351ebf946b0" }}
{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.6-bullseye@sha256:260918a3795372a6d33225d361fe5349723be9667de865a23411b50fbcc76c5a" }}
{{- $_ := set . "BASE_SCRATCH" "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}

---
image: {{ $.ImageName }}-golang-artifact
from: {{ $.BASE_GOLANG_22_ALPINE }}
from: {{ $.BASE_GOLANG }}
final: false

git:
Expand Down
1 change: 1 addition & 0 deletions trivy-silent.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
exit-code: 0
Loading