From bb3f17ec76b08d985bcb50843e43c26d2dcd5c4a Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Fri, 6 Sep 2024 14:06:12 +0200 Subject: [PATCH] feat: switch container scanning to grype Signed-off-by: Robert Waffen --- .github/workflows/ci.yaml | 31 ------------ .github/workflows/security_scanning.yml | 63 +++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/security_scanning.yml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e636e694..37deba48 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -51,37 +51,6 @@ jobs: R10K_VERSION=${{ matrix.r10k_version }} RUGGED_VERSION=${{ matrix.rugged_version }} - # - name: Login to Docker Hub - # uses: docker/login-action@v3 - # with: - # username: voxpupulibot - # password: ${{ secrets.DOCKERHUB_BOT_RO_PASSWORD }} - - # - name: Analyze container image for CVEs - # id: analyze-image-cves - # uses: docker/scout-action@v1 - # with: - # command: cves - # image: 'local://ci/puppetserver:${{ matrix.version }}' - # sarif-file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json - # write-comment: false - - # - name: Compare container image to latest from Registry - # id: compare-image - # uses: docker/scout-action@v1 - # with: - # command: compare - # image: 'local://ci/puppetserver:${{ matrix.version }}' - # to: 'ghcr.io/voxpupuli/puppetserver:${{ matrix.version }}-latest' - # summary: true - # keep-previous-comments: true - - # - name: Upload SARIF result - # id: upload-sarif - # uses: github/codeql-action/upload-sarif@v3 - # with: - # sarif_file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json - tests: needs: - general_ci diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml new file mode 100644 index 00000000..bf98da8e --- /dev/null +++ b/.github/workflows/security_scanning.yml @@ -0,0 +1,63 @@ +--- +name: Security Scanning 🕵️ + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + setup-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Source checkout + uses: actions/checkout@v4 + + - id: set-matrix + run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT + + scan_ci_container: + name: 'Scan CI container' + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + needs: setup-matrix + strategy: + matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Build CI container + uses: docker/build-push-action@v6 + with: + tags: 'ci/puppetserver:${{ matrix.version }}' + context: puppetserver + push: false + build-args: | + PUPPET_RELEASE=${{ matrix.release }} + PUPPETSERVER_VERSION=${{ matrix.version }} + R10K_VERSION=${{ matrix.r10k_version }} + RUGGED_VERSION=${{ matrix.rugged_version }} + + - name: Scan image with Anchore Grype + uses: anchore/scan-action@v4 + id: scan + with: + image: 'ci/puppetserver:${{ matrix.version }}' + fail-build: false + + - name: Inspect action SARIF report + run: jq . ${{ steps.scan.outputs.sarif }} + + - name: Upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }}