From bb62db33ca5b90068a55e7ad572af8e1dd463dbd Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Thu, 13 Jan 2022 10:20:48 +0100 Subject: [PATCH 1/3] fix: adjust scan configuration --- .github/workflows/cve-scan.yaml | 24 +++++++++++++++++++----- .grype.yaml | 2 ++ Makefile | 9 ++++++++- 3 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 .grype.yaml diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index cdf7e5bd920..6abe358f32a 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -15,6 +15,12 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 + - name: Setup Env + id: vars + shell: bash + run: | + echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + echo "::set-output name=sha_short::$(git rev-parse --short HEAD)" - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx @@ -22,18 +28,26 @@ jobs: - name: Build images shell: bash run: | - make docker + image_tag=${{ steps.vars.outputs.sha_short }} make docker - name: Anchore Scanner uses: anchore/scan-action@v3 + id: grype-scan with: - image: oryd/kratos:latest - fail-build: true + image: oryd/kratos:${{ steps.vars.outputs.sha_short }} + fail-build: false severity-cutoff: high + debug: false + acs-report-enable: true + - name: Anchore upload scan SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.grype-scan.outputs.sarif }} - name: Trivy Scanner uses: aquasecurity/trivy-action@master if: ${{ always() }} with: - image-ref: oryd/kratos:latest + image-ref: oryd/kratos:${{ steps.vars.outputs.sha_short }} format: 'table' exit-code: '42' ignore-unfixed: true @@ -43,6 +57,6 @@ jobs: uses: erzz/dockle-action@v1.1.1 if: ${{ always() }} with: - image: oryd/kratos:latest + image: oryd/kratos:${{ steps.vars.outputs.sha_short }} exit-code: 42 failure-threshold: fatal diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 00000000000..bb5fa622592 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,2 @@ +ignore: + - vulnerability: CVE-2015-5237 \ No newline at end of file diff --git a/Makefile b/Makefile index fd2eed3ab80..ff7aa2e296d 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,11 @@ SHELL=/bin/bash -o pipefail +ifdef image_tag + IMAGE_TAG := $(image_tag) +else + IMAGE_TAG := latest +endif + # EXECUTABLES = docker-compose docker node npm go # K := $(foreach exec,$(EXECUTABLES),\ # $(if $(shell which $(exec)),some string,$(error "No $(exec) in PATH"))) @@ -135,7 +141,8 @@ format: .bin/goimports docs/node_modules node_modules # Build local docker image .PHONY: docker docker: - DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:latest . + @echo "Building Image 'oryd/kratos:$(IMAGE_TAG)'" + DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:$(IMAGE_TAG) . # Runs the documentation tests .PHONY: test-docs From 41de0a5d4eb68ff834541ca3af75f1d86f84aba8 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Fri, 14 Jan 2022 13:55:26 +0100 Subject: [PATCH 2/3] chore: enable failing of step in case high vulnerabilities --- .github/workflows/cve-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 6abe358f32a..dd4f7f459c0 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -34,7 +34,7 @@ jobs: id: grype-scan with: image: oryd/kratos:${{ steps.vars.outputs.sha_short }} - fail-build: false + fail-build: true severity-cutoff: high debug: false acs-report-enable: true From 90bf6d515aa74af65e9b289302475acb847f8916 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Fri, 14 Jan 2022 21:26:44 +0100 Subject: [PATCH 3/3] fix: use Dockerfile-alpine + cleanup --- .github/workflows/cve-scan.yaml | 4 +++- .grype.yaml | 1 + Makefile | 9 +-------- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index dd4f7f459c0..22a168af946 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -28,7 +28,9 @@ jobs: - name: Build images shell: bash run: | - image_tag=${{ steps.vars.outputs.sha_short }} make docker + touch kratos + DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-alpine --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} -t oryd/kratos:${{ steps.vars.outputs.sha_short }} . + rm kratos - name: Anchore Scanner uses: anchore/scan-action@v3 id: grype-scan diff --git a/.grype.yaml b/.grype.yaml index bb5fa622592..7e6d0a9bafa 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,2 +1,3 @@ +#only-fixed: true ignore: - vulnerability: CVE-2015-5237 \ No newline at end of file diff --git a/Makefile b/Makefile index ff7aa2e296d..fd2eed3ab80 100644 --- a/Makefile +++ b/Makefile @@ -1,11 +1,5 @@ SHELL=/bin/bash -o pipefail -ifdef image_tag - IMAGE_TAG := $(image_tag) -else - IMAGE_TAG := latest -endif - # EXECUTABLES = docker-compose docker node npm go # K := $(foreach exec,$(EXECUTABLES),\ # $(if $(shell which $(exec)),some string,$(error "No $(exec) in PATH"))) @@ -141,8 +135,7 @@ format: .bin/goimports docs/node_modules node_modules # Build local docker image .PHONY: docker docker: - @echo "Building Image 'oryd/kratos:$(IMAGE_TAG)'" - DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:$(IMAGE_TAG) . + DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:latest . # Runs the documentation tests .PHONY: test-docs