From 3c0f7d764bfae8014fd826cae1b8cb264145008f Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 11:09:22 -0700 Subject: [PATCH 01/14] Testing out Docker Scout GitHub Action --- .github/workflows/docker-scout.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/docker-scout.yaml diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml new file mode 100644 index 0000000..413e32d --- /dev/null +++ b/.github/workflows/docker-scout.yaml @@ -0,0 +1,19 @@ +name: Docker Scout Security Check + +on: + pull_request: + types: [opened, reopened, synchronize] + +jobs: + scout: + runs-on: ubuntu-latest + steps: + - name: Docker Scout + id: docker-scout + uses: docker/scout-action@v1 + with: + command: cves,recommendations,compare + to-latest: true + ignore-base: true + ignore-unchanged: true + only-fixed: true From bfe0fbd679c887bb3216da70fdc34f1702266b1f Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 11:19:52 -0700 Subject: [PATCH 02/14] Updating action name to trigger it in the PR --- .github/workflows/docker-scout.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index 413e32d..e971efc 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -1,4 +1,4 @@ -name: Docker Scout Security Check +name: Docker Scout on: pull_request: From cf52a48d114cb42fddf6dd289f24e6f553f7891d Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 11:24:07 -0700 Subject: [PATCH 03/14] Adding DockerHub login to Docker Scout action --- .github/workflows/docker-scout.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index e971efc..3234d5b 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -8,6 +8,12 @@ jobs: scout: runs-on: ubuntu-latest steps: + - + name: Login to DockerHub Container Registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_PW }} - name: Docker Scout id: docker-scout uses: docker/scout-action@v1 From 16c91eb43dfbe6ee790bd1a1ea1a540fd150910e Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 11:26:24 -0700 Subject: [PATCH 04/14] Adding PR write permissions to Docker Scout action --- .github/workflows/docker-scout.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index 3234d5b..8e73676 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, reopened, synchronize] +permissions: + pull-requests: write + jobs: scout: runs-on: ubuntu-latest From 45b26bf8c114052233db0097c4ac227c999d3fe3 Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 11:32:52 -0700 Subject: [PATCH 05/14] Adding example image to test Docker Scout action --- .github/workflows/docker-scout.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index 8e73676..69fcabf 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -21,6 +21,7 @@ jobs: id: docker-scout uses: docker/scout-action@v1 with: + image: getwilds/bwa:latest command: cves,recommendations,compare to-latest: true ignore-base: true From 63a596bf4a377217991cbc70aa6ec7232ad678d5 Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 11:41:15 -0700 Subject: [PATCH 06/14] Testing out just CVE check for Docker Scout action --- .github/workflows/docker-scout.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index 69fcabf..bedf97b 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -17,12 +17,13 @@ jobs: with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PW }} + # - Build image here? How do you cycle through modified images? - name: Docker Scout id: docker-scout uses: docker/scout-action@v1 with: image: getwilds/bwa:latest - command: cves,recommendations,compare + command: cves #,recommendations,compare to-latest: true ignore-base: true ignore-unchanged: true From 3ad4badca18fece5eb3b9e69590f019006209c3c Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 12:04:21 -0700 Subject: [PATCH 07/14] Testing out pre-build for Docker Scout action --- .github/workflows/docker-scout.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index bedf97b..cf51554 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -11,19 +11,20 @@ jobs: scout: runs-on: ubuntu-latest steps: - - - name: Login to DockerHub Container Registry + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to DockerHub Container Registry uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PW }} - # - Build image here? How do you cycle through modified images? + - name: Build + run: docker build --platform linux/amd64 -t getwilds/bwa:latest -f bwa/Dockerfile_latest . - name: Docker Scout id: docker-scout uses: docker/scout-action@v1 with: - image: getwilds/bwa:latest - command: cves #,recommendations,compare + command: cves,recommendations,compare to-latest: true ignore-base: true ignore-unchanged: true From 73dbee4fb4085c4a0b385ceacd741eabaf4df75e Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 13:43:04 -0700 Subject: [PATCH 08/14] Adding ls to Docker Scout for debugging --- .github/workflows/docker-scout.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index cf51554..6ec7fbc 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -19,7 +19,9 @@ jobs: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PW }} - name: Build - run: docker build --platform linux/amd64 -t getwilds/bwa:latest -f bwa/Dockerfile_latest . + run: | + ls + docker build --platform linux/amd64 -t getwilds/bwa:latest -f /bwa/Dockerfile_latest . - name: Docker Scout id: docker-scout uses: docker/scout-action@v1 From 3bf5dca43d098840d01cd69d9f45f2afe8741e70 Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 13:45:56 -0700 Subject: [PATCH 09/14] Adding ls to Docker Scout for debugging --- .github/workflows/docker-scout.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index 6ec7fbc..52a00b2 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -20,7 +20,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PW }} - name: Build run: | - ls + echo $(ls) docker build --platform linux/amd64 -t getwilds/bwa:latest -f /bwa/Dockerfile_latest . - name: Docker Scout id: docker-scout From c7c03811afd54d34e9a93644a192b1fb7e1c6d34 Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 13:48:02 -0700 Subject: [PATCH 10/14] Adding checkout to Docker Scout action --- .github/workflows/docker-scout.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index 52a00b2..de9ebb4 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -11,6 +11,8 @@ jobs: scout: runs-on: ubuntu-latest steps: + - name: Checkout + uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub Container Registry @@ -19,9 +21,7 @@ jobs: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PW }} - name: Build - run: | - echo $(ls) - docker build --platform linux/amd64 -t getwilds/bwa:latest -f /bwa/Dockerfile_latest . + run: docker build --platform linux/amd64 -t getwilds/bwa:latest -f bwa/Dockerfile_latest . - name: Docker Scout id: docker-scout uses: docker/scout-action@v1 From 0f4da684c937ed5af3ec299f0cb777cebae180d7 Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 14:43:14 -0700 Subject: [PATCH 11/14] Updating versions in bwa Docker image --- bwa/Dockerfile_0.7.17 | 8 ++++---- bwa/Dockerfile_latest | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bwa/Dockerfile_0.7.17 b/bwa/Dockerfile_0.7.17 index 486fba4..ac87839 100644 --- a/bwa/Dockerfile_0.7.17 +++ b/bwa/Dockerfile_0.7.17 @@ -14,10 +14,10 @@ LABEL org.opencontainers.image.licenses=MIT # Installing prerequisites RUN apt-get update \ - && apt-get install -y --no-install-recommends build-essential=12.10ubuntu1 wget=1.21.4-1ubuntu4 \ - zlib1g-dev=1:1.3.dfsg-3.1ubuntu2 autoconf=2.71-3 automake=1:1.16.5-1.3ubuntu1 \ - libncurses-dev=6.4+20240113-1ubuntu2 libbz2-dev=1.0.8-5.1 liblzma-dev=5.6.1+really5.4.5-1 \ - libssl-dev=3.0.13-0ubuntu3.1 libcurl4-gnutls-dev=8.5.0-2ubuntu10.1 \ + && apt-get install -y --no-install-recommends build-essential=12.10ubuntu1 wget=1.21.4-1ubuntu4.1 \ + zlib1g-dev=1:1.3.dfsg-3.1ubuntu2.1 autoconf=2.71-3 automake=1:1.16.5-1.3ubuntu1 \ + libncurses-dev=6.4+20240113-1ubuntu2 libbz2-dev=1.0.8-5.1build0.1 liblzma-dev=5.6.1+really5.4.5-1build0.1 \ + libssl-dev=3.0.13-0ubuntu3.4 libcurl4-gnutls-dev=8.5.0-2ubuntu10.4 \ && rm -rf /var/lib/apt/lists/* # Pulling and extracting bwa source code diff --git a/bwa/Dockerfile_latest b/bwa/Dockerfile_latest index d5eff3b..5725013 100644 --- a/bwa/Dockerfile_latest +++ b/bwa/Dockerfile_latest @@ -14,10 +14,10 @@ LABEL org.opencontainers.image.licenses=MIT # Installing prerequisites RUN apt-get update \ - && apt-get install -y --no-install-recommends build-essential=12.10ubuntu1 wget=1.21.4-1ubuntu4 \ - zlib1g-dev=1:1.3.dfsg-3.1ubuntu2 autoconf=2.71-3 automake=1:1.16.5-1.3ubuntu1 \ - libncurses-dev=6.4+20240113-1ubuntu2 libbz2-dev=1.0.8-5.1 liblzma-dev=5.6.1+really5.4.5-1 \ - libssl-dev=3.0.13-0ubuntu3.1 libcurl4-gnutls-dev=8.5.0-2ubuntu10.1 \ + && apt-get install -y --no-install-recommends build-essential=12.10ubuntu1 wget=1.21.4-1ubuntu4.1 \ + zlib1g-dev=1:1.3.dfsg-3.1ubuntu2.1 autoconf=2.71-3 automake=1:1.16.5-1.3ubuntu1 \ + libncurses-dev=6.4+20240113-1ubuntu2 libbz2-dev=1.0.8-5.1build0.1 liblzma-dev=5.6.1+really5.4.5-1build0.1 \ + libssl-dev=3.0.13-0ubuntu3.4 libcurl4-gnutls-dev=8.5.0-2ubuntu10.4 \ && rm -rf /var/lib/apt/lists/* # Pulling and extracting bwa source code From d6f1138cf715549cd16ca663626c78d1dda524e6 Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 14:59:55 -0700 Subject: [PATCH 12/14] Calling image by tag in Docker Scout --- .github/workflows/docker-scout.yaml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index de9ebb4..de84548 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -11,23 +11,29 @@ jobs: scout: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + # - name: Checkout + # uses: actions/checkout@v4 + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v3 - name: Login to DockerHub Container Registry uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PW }} - - name: Build - run: docker build --platform linux/amd64 -t getwilds/bwa:latest -f bwa/Dockerfile_latest . + # - name: Build + # run: docker build --platform linux/amd64 -t getwilds/bwa:latest -f bwa/Dockerfile_latest . - name: Docker Scout id: docker-scout uses: docker/scout-action@v1 with: - command: cves,recommendations,compare - to-latest: true - ignore-base: true - ignore-unchanged: true - only-fixed: true + command: cves,recommendations + image: getwilds/bwa:latest + sarif-file: sarif.output.json + platform: linux/amd64 + summary: true + - name: Upload SARIF result + id: upload-sarif + if: ${{ github.event_name != 'pull_request_target' }} + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: sarif.output.json From b6869ee232b6f2376e52f2c4fe653fb4610a5300 Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 15:07:26 -0700 Subject: [PATCH 13/14] Checking if you need login for Docker Scout --- .github/workflows/docker-scout.yaml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index de84548..484668e 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -11,17 +11,11 @@ jobs: scout: runs-on: ubuntu-latest steps: - # - name: Checkout - # uses: actions/checkout@v4 - # - name: Set up Docker Buildx - # uses: docker/setup-buildx-action@v3 - - name: Login to DockerHub Container Registry - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PW }} - # - name: Build - # run: docker build --platform linux/amd64 -t getwilds/bwa:latest -f bwa/Dockerfile_latest . + # - name: Login to DockerHub Container Registry + # uses: docker/login-action@v3 + # with: + # username: ${{ secrets.DOCKERHUB_USER }} + # password: ${{ secrets.DOCKERHUB_PW }} - name: Docker Scout id: docker-scout uses: docker/scout-action@v1 From c8feb1549edb514c16c46a4037a8124eeb97d656 Mon Sep 17 00:00:00 2001 From: tefirman Date: Fri, 18 Oct 2024 15:09:21 -0700 Subject: [PATCH 14/14] Adding back login for Docker Scout --- .github/workflows/docker-scout.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index 484668e..1c12e87 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -11,11 +11,11 @@ jobs: scout: runs-on: ubuntu-latest steps: - # - name: Login to DockerHub Container Registry - # uses: docker/login-action@v3 - # with: - # username: ${{ secrets.DOCKERHUB_USER }} - # password: ${{ secrets.DOCKERHUB_PW }} + - name: Login to DockerHub Container Registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_PW }} - name: Docker Scout id: docker-scout uses: docker/scout-action@v1