diff --git a/.github/workflows/patch.yaml b/.github/workflows/patch.yaml index 8a89ca0..7d0b9f8 100644 --- a/.github/workflows/patch.yaml +++ b/.github/workflows/patch.yaml @@ -13,9 +13,8 @@ jobs: fail-fast: false matrix: # provide relevant list of images to scan on each run - images: ['mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18', 'docker.io/library/node:18.17.1-slim'] - # images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18', - # 'docker.io/library/golang:1.18.10', 'docker.io/library/node:18.17.1-slim', 'docker.io/library/rust:1.69.0'] + images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18', + 'docker.io/library/golang:1.18.10', 'docker.io/library/node:18.17.1-slim', 'docker.io/library/rust:1.69.0'] steps: - name: Set up Docker Buildx @@ -38,12 +37,6 @@ jobs: vuln_count=$(jq '.Results | length' "$report_file") echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT - # - name: Set Tag - # id: set_tag - # run: | - # TAG=$(echo "${{ matrix.images }}" | cut -d':' -f2 | cut -d'/' -f2 | sed 's/[^0-9.]*//g') - # echo "PATCHED_TAG=$TAG-immunized" >> $GITHUB_ENV - - name: Set Tag id: set_tag run: | @@ -51,7 +44,6 @@ jobs: IMMUNIZED_TAG="${TAG}-immunized" echo "PATCHED_TAG=${IMMUNIZED_TAG}" >> $GITHUB_ENV - - name: Copa Action if: steps.vuln_count.outputs.vuln_count != '0' id: copa @@ -78,7 +70,6 @@ jobs: run: | docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }} - - name: Docker Push Patched Image id: push if: steps.login.conclusion == 'success' diff --git a/README.md b/README.md index 080b344..1bb283a 100644 --- a/README.md +++ b/README.md @@ -16,34 +16,49 @@ Specifically, the list of container images to patch is specified within the stra ```yaml images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0'] ``` -Following are the steps in the pipeline: -1. **Set up Docker Buildx** - - Action: `docker/setup-buildx-action` - - Description: Sets up Docker Buildx for building multi-platform Docker images. +Following is an high-level description of the pipeline jobs and steps: +## Immunize Job +### Overview: + +This job is triggered on every push event (excluding changes to README.md) and focuses on scanning and immunizing Docker images for security vulnerabilities. +### Steps: +1. **Set up Docker Buildx:** + - Uses the `docker/setup-buildx-action` to set up Docker Buildx for multi-platform builds. +2. **Generate Trivy Report:** + - Utilizes the `aquasecurity/trivy-action` to scan specified Docker images for OS vulnerabilities and generates a JSON report. +3. **Check Vuln Count:** + - Parses the Trivy report using `jq` to count the number of vulnerabilities and outputs the count to the GitHub environment. +4. **Set Tag:** + - Extracts the tag from the Docker image reference and appends "-immunized" to create a new tag. Sets this new tag in the GitHub environment. +5. **Copa Action:** + - Conditionally executes the `project-copacetic/copa-action` if vulnerabilities are found. + - Utilizes Copa to apply security patches to the Docker image, generating a patched image and a detailed report. +6. **Log into ghcr:** + - Logs into GitHub Container Registry (ghcr.io) using the `docker/login-action` with the GitHub token. +7. **Tag Image for GHCR:** + - Tags the patched Docker image and prepares it for pushing to GitHub Container Registry. +8. **Docker Push Patched Image:** + - Pushes the patched Docker image to GitHub Container Registry for storage and distribution. + +## Send-Mail-Report Job +### Overview: + +This job is dependent on the completion of the "Immunize" job and is responsible for sending an email report. +If you dont need this job you can comment it out in the pipeline manifest. +### Steps: +1. **Checkout Repository:** + - Checks out the repository to access necessary files and scripts. +2. **Send Mail Report:** + - Executes a Python script (`send_mail_report.py`) located in the repository, sending a report via email. + - Configures email recipient addresses, sender address, and password using secrets. +3. **Report Example**: + + + +> [!Note] +> The pateched images can be found [here](https://github.com/R3DRUN3?tab=packages&repo_name=immunize). -2. **Generate Trivy Report** - - Action: `aquasecurity/trivy-action` - - Description: Scans Docker images for vulnerabilities using Trivy, generates a JSON report, and ignores unfixed vulnerabilities. -3. **Check Vuln Count** - - Description: Uses *jq* to count the number of vulnerabilities in the Trivy report and outputs the count to `$GITHUB_OUTPUT`. - -4. **Copa Action** - - Action: `project-copacetic/copa-action` - - Description: Runs Copa Action to handle vulnerabilities based on the Trivy report. - If vulnerabilities are present, it immunizes the image. - -1. **Log into ghcr** - - Action: `docker/login-action` - - Description: Logs into GitHub Container Registry (ghcr.io) using the GitHub token if the Copa Action was successful. - -2. **Tag Image for GHCR** - - Description: Tags the immunized Docker image for GitHub Container Registry (*GHCR*) using the patched image from the Copa Action. - -3. **Docker Push Patched Image** - - Description: Pushes the tagged immunized Docker image to GitHub Container Registry (GHCR) if the login was successful. - -The pateched images can be found [here](https://github.com/R3DRUN3?tab=packages&repo_name=immunize). To perform image pulls, authentication is not required; however, GitHub may prompt for a token if the API call limit is exceeded. @@ -74,8 +89,8 @@ Total: 41 (UNKNOWN: 0, LOW: 11, MEDIUM: 21, HIGH: 9, CRITICAL: 0) And then on the immunized version of that same image: ```console -docker pull ghcr.io/r3drun3/immunize/docker.io/openpolicyagent/opa:immunized \ -&& trivy image ghcr.io/r3drun3/immunize/docker.io/openpolicyagent/opa:immunized +docker pull ghcr.io/r3drun3/immunize/docker.io/openpolicyagent/opa:0.46.0-immunized \ +&& trivy image ghcr.io/r3drun3/immunize/docker.io/openpolicyagent/opa:0.46.0-immunized ``` Output for OS CVEs: