Skip to content

Update CI vulnerability workflow to reduce how often the docker image is built #196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
lisac wants to merge 52 commits into from
Closed

Update CI vulnerability workflow to reduce how often the docker image is built #196

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
52 commits
Select commit Hold shift + click to select a range
32071f7
add job build-and-cache
lisac Apr 15, 2025
352feea
update trivy job to use the previously-built image
lisac Apr 15, 2025
30f2a9c
update anchore scan to use the previously-built image
lisac Apr 15, 2025
8bebaee
update dockle job to use the previously-built image
lisac Apr 15, 2025
47b8168
remove check on disk space
lisac Apr 15, 2025
cdc863f
remove debugging around disk space
lisac Apr 15, 2025
b8e1fb4
fix outdated documentation link
lisac Apr 15, 2025
409afe0
Update .github/workflows/vulnerability-scans.yml
lisac Apr 17, 2025
ec4acfb
rename job: build-and-cache -> build
lisac Apr 17, 2025
f93ad60
fix order: check that the cache exists before we try to use it
lisac Apr 17, 2025
e615687
move the cache-hit check to earlier in the job
lisac Apr 17, 2025
0f0985e
(lint fix) specify the path associated with the key we want to look up
lisac Apr 17, 2025
8f1f396
oops. need to check out the repo in order to use the Makefile.
lisac Apr 17, 2025
b5d6823
skip the trivy and anchore scans (temporarily)
lisac Apr 17, 2025
a622e54
modify 'release-build' make command to allow for additional build flags
lisac Apr 17, 2025
1430fd4
simplify. remove logic for caching the buildx layers. reduce the task…
lisac Apr 17, 2025
95a8a18
experiment: don't checkout the repo unless we have to build the docke…
lisac Apr 17, 2025
057ebb1
specify 'fail-on-cache-miss: true' for the subsequent jobs that expec…
lisac Apr 17, 2025
3c71f76
Revert "experiment: don't checkout the repo unless we have to build t…
lisac Apr 17, 2025
e7e8072
refactor the steps for building and caching the image into a new comp…
lisac Apr 28, 2025
0c6fcc6
update the build-and-publish to use the new composite action
lisac Apr 28, 2025
d6367d6
limit concurrency for the build action
lisac Apr 28, 2025
111fff0
update value to one that is defined
lisac Apr 28, 2025
04c44e2
move concurrency configuration to the job level
lisac Apr 28, 2025
d770279
re-try enforcing concurrency limit
lisac Apr 28, 2025
39d9fb5
Merge branch 'main' into lisac/ci-vulnerability-scans-build-image-once
lisac May 2, 2025
35353a2
move container registry check into its own job; and run the build-and…
lisac May 2, 2025
e760275
(debugging) add a sleep, to make more apparent whether multiple insta…
lisac May 2, 2025
3a27d6a
fix syntax
lisac May 2, 2025
1d970fc
re-try fixing syntax
lisac May 2, 2025
ba457e9
set id-token to have write permission
lisac May 2, 2025
2e5552c
specify the github ref to checkout
lisac May 4, 2025
541e272
update description text of the composite action
lisac May 4, 2025
73e97a0
revert 2e5552c. ineffective.
lisac May 5, 2025
32333f3
fix format - EOF newline
lisac May 5, 2025
9fde625
move 'docker load' to the composite action
lisac May 8, 2025
c58be8b
retrieve the image from cache rather than just checking for a cache hit
lisac May 8, 2025
ec69330
fix syntax. was missing required property 'shell'
lisac May 8, 2025
d05c648
debug: if we call 'docker load' from the composite action, will the c…
lisac May 8, 2025
ca3da45
debug: observe the environment variables describing the version of th…
lisac May 8, 2025
3124e7f
debugging - check that we get a cache hit after saving the cache, and…
lisac May 9, 2025
cf38b58
create composite action for get-commit-hash, copying logic from build…
lisac May 9, 2025
82b68ff
update build-and-publish.yml to call the get-commit-hash composite ac…
lisac May 9, 2025
db0f928
fix concurrency group - github.ref will not be reliable, need to use …
lisac May 9, 2025
f4c816e
adjust a condition for readability and to be more exact
lisac May 9, 2025
ee98361
correct concurrency group to use hash instead of github.ref. in vulne…
lisac May 9, 2025
1cc95b8
debug: the subsequent jobs may need to explicitly run docker load
lisac May 9, 2025
800fe0b
fix syntax
lisac May 9, 2025
772ddd4
fix (id for steps need to be unique, within a workflow)
lisac May 9, 2025
e56d5fa
use existing Makefile command for getting the commit sha
lisac May 9, 2025
dc57850
remove debugging, update some descriptive properties (name, description)
lisac May 9, 2025
c211561
restore original code for getting the commit hash
lisac May 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 96 additions & 25 deletions .github/workflows/vulnerability-scans.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image
# to ensure images built are secure before they are deployed.
# GitHub Actions CI workflow that runs vulnerability scans on the application's
# Dockerfile or Docker image to ensure images built are secure before they are deployed.

# The docker image is built once and cached, with that image used by the jobs that
# require access to the image.

# NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image.
# A future PR will pass the image between the scans to reduce overhead and increase speed
name: Vulnerability Scans

on:
Expand Down Expand Up @@ -41,8 +42,64 @@ jobs:
if: always() # Runs even if there is a failure
run: cat hadolint-results.txt >> "$GITHUB_STEP_SUMMARY"

build-and-cache:
runs-on: ubuntu-latest
outputs:
image: ${{ steps.shared-output.outputs.image }}

steps:
- uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@master
with:
driver: docker

- name: Cache Docker layers
id: cache-buildx
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ inputs.app_name }}-buildx-${{ github.sha }}
restore-keys: |
${{ inputs.app_name }}-buildx-

- name: Ensure Buildx cache exists
run: |
mkdir -p /tmp/.buildx-cache

- name: Set shared outputs
id: shared-output
run: |
IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"

- name: Build and tag Docker image for scanning
# If there's an exact match in cache, skip build entirely
if: steps.cache-buildx.outputs.cache-hit != 'true'
run: |
make release-build \
APP_NAME=${{ inputs.app_name }} \
OPTIONAL_BUILD_FLAGS=" \
--cache-from=type=local,src=/tmp/.buildx-cache \
--cache-to=type=local,dest=/tmp/.buildx-cache"
Copy link
Copy Markdown
Collaborator

@lorenyu lorenyu Apr 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't do anything, OPTIONAL_BUILD_FLAGS is not an option in make release-build which is causing the layers not to be caching properly

image

Once this is fixed you should test by triggering multiple builds (with different commit hashes) (for example by modifying the example app or adding a command to the Dockerfile) and showing that subsequent builds are much faster since most of the layers are already cached.


- name: Save Docker image
if: steps.cache-buildx.outputs.cache-hit != 'true'
run: |
docker save ${{ steps.shared-output.outputs.image }} > /tmp/docker-image.tar

- name: Cache Docker image
if: steps.cache-buildx.outputs.cache-hit != 'true'
uses: actions/cache/save@v4
with:
path: /tmp/docker-image.tar
key: ${{ inputs.app_name }}-docker-image-${{ github.sha }}

trivy-scan:
runs-on: ubuntu-latest
needs: build-and-cache

steps:
- uses: actions/checkout@v4
Expand All @@ -59,19 +116,23 @@ jobs:
with:
files: ${{ inputs.app_name }}/trivy-secret.yaml trivy-secret.yaml

- name: Build and tag Docker image for scanning
id: build-image
- name: Restore cached Docker image
uses: actions/cache/restore@v4
with:
path: /tmp/docker-image.tar
key: ${{ inputs.app_name }}-docker-image-${{ github.sha }}
restore-keys: |
${{ inputs.app_name }}-docker-image-

- name: Load cached Docker image
run: |
make APP_NAME=${{ inputs.app_name }} release-build
IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
docker load < /tmp/docker-image.tar

- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: ${{ steps.build-image.outputs.image }}
image-ref: ${{ needs.build-and-cache.outputs.image }}
format: table
exit-code: 1
ignore-unfixed: true
Expand All @@ -88,6 +149,7 @@ jobs:

anchore-scan:
runs-on: ubuntu-latest
needs: build-and-cache

steps:
- uses: actions/checkout@v4
Expand All @@ -99,18 +161,22 @@ jobs:
${{ inputs.app_name }}/.grype.yml
.grype.yml

- name: Build and tag Docker image for scanning
id: build-image
- name: Restore cached Docker image
uses: actions/cache/restore@v4
with:
path: /tmp/docker-image.tar
key: ${{ inputs.app_name }}-docker-image-${{ github.sha }}
restore-keys: |
${{ inputs.app_name }}-docker-image-

- name: Load cached Docker image
run: |
make APP_NAME=${{ inputs.app_name }} release-build
IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
docker load < /tmp/docker-image.tar

- name: Run Anchore vulnerability scan
uses: anchore/scan-action@v3
with:
image: ${{ steps.build-image.outputs.image }}
image: ${{ needs.build-and-cache.outputs.image }}
output-format: table
env:
GRYPE_CONFIG: ${{ steps.grype-config.outputs.found_file }}
Expand All @@ -121,6 +187,7 @@ jobs:

dockle-scan:
runs-on: ubuntu-latest
needs: build-and-cache

steps:
- uses: actions/checkout@v4
Expand All @@ -132,13 +199,17 @@ jobs:
${{ inputs.app_name }}/.dockleconfig
.dockleconfig

- name: Build and tag Docker image for scanning
id: build-image
- name: Restore cached Docker image
uses: actions/cache/restore@v4
with:
path: /tmp/docker-image.tar
key: ${{ inputs.app_name }}-docker-image-${{ github.sha }}
restore-keys: |
${{ inputs.app_name }}-docker-image-

- name: Load cached Docker image
run: |
make APP_NAME=${{ inputs.app_name }} release-build
IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
docker load < /tmp/docker-image.tar

# Dockle doesn't allow you to have an ignore file for the DOCKLE_ACCEPT_FILES
# variable, this will save the variable in this file to env for Dockle
Expand All @@ -151,7 +222,7 @@ jobs:
- name: Run Dockle container linter
uses: erzz/dockle-action@v1.3.1
with:
image: ${{ steps.build-image.outputs.image }}
image: ${{ needs.build-and-cache.outputs.image }}
exit-code: "1"
failure-threshold: WARN
accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }}
Expand Down
2 changes: 1 addition & 1 deletion docs/app-rails/auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Authentication is the process of verifying the credentials of a user. We use AWS
- User credentials are stored in AWS Cognito
- Password policy is enforced by Cognito
- Custom pages are built for the AWS Cognito flows (login, signup, forgot password, etc.). We aren't using the hosted UI that Cognito provides since we need more control over the UI and content.
- [Devise](https://www.rubydoc.info/github/heartcombo/devise/main) and [Warden](https://www.rubydoc.info/github/hassox/warden) facilitate auth and session management
- [Devise](https://www.rubydoc.info/github/heartcombo/devise/main) and [Warden](https://github.com/wardencommunity/warden/wiki) facilitate auth and session management

## Authorization

Expand Down
Loading