feat: updated cve-scan workflow, address ratelimiting for Trivy

tricky42 · tricky42 · commit a16654df03ae · 2024-11-18T16:59:42.000+01:00
diff --git a/.github/workflows/cve-scan-old.yaml b/.github/workflows/cve-scan-old.yaml
@@ -0,0 +1,94 @@
+name: Docker Image Scanners
+on:
+  push:
+    branches:
+      - "master"
+    tags:
+      - "v*.*.*"
+  pull_request:
+    branches:
+      - "master"
+  merge_group:
+
+jobs:
+  scanners:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Env
+        id: vars
+        shell: bash
+        run: |
+          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build images
+        shell: bash
+        run: |
+          IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
+      - name: Anchore Scanner
+        uses: anchore/scan-action@v3
+        id: grype-scan
+        with:
+          image: oryd/keto:${{ env.SHA_SHORT }}
+          fail-build: true
+          severity-cutoff: high
+          add-cpes-if-none: true
+      - name: Inspect action SARIF report
+        shell: bash
+        if: ${{ always() }}
+        run: |
+          echo "::group::Anchore Scan Details"
+          jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }}
+          echo "::endgroup::"
+      - name: Anchore upload scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      #      - name: Kubescape scanner
+      #        uses: kubescape/github-action@main
+      #        id: kubescape
+      #        with:
+      #          image: oryd/keto:${{ env.SHA_SHORT }}
+      #          verbose: true
+      #          format: pretty-printer
+      #          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
+      #          severityThreshold: critical
+      - name: Trivy Scanner
+        uses: aquasecurity/trivy-action@master
+        if: ${{ always() }}
+        with:
+          image-ref: oryd/keto:${{ env.SHA_SHORT }}
+          format: "table"
+          exit-code: "42"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          scanners: "vuln,secret,config"
+      - name: Dockle Linter
+        uses: erzz/dockle-action@v1.3.2
+        if: ${{ always() }}
+        with:
+          image: oryd/keto:${{ env.SHA_SHORT }}
+          exit-code: 42
+          failure-threshold: high
+      - name: Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        id: hadolint
+        if: ${{ always() }}
+        with:
+          dockerfile: .docker/Dockerfile-build
+          verbose: true
+          format: "json"
+          failure-threshold: "error"
+      - name: View Hadolint results
+        if: ${{ always() }}
+        shell: bash
+        run: |
+          echo "::group::Hadolint Scan Details"
+          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "::endgroup::"
diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -1,5 +1,6 @@
 name: Docker Image Scanners
 on:
+  workflow_dispatch:
   push:
     branches:
       - "master"
@@ -8,32 +9,70 @@ on:
   pull_request:
     branches:
       - "master"
-  merge_group:
+
+permissions:
+  contents: read
+  security-events: write
 
 jobs:
   scanners:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup Env
         id: vars
         shell: bash
         run: |
-          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
+          # Store values in local variables
+          SHA_SHORT=$(git rev-parse --short HEAD)
+          REPO_NAME=${{ github.event.repository.name }}
+
+          # Append -sqlite to SHA_SHORT if repo is hydra
+          if [ "${REPO_NAME}" = "hydra" ]; then
+            echo "Repo is hydra, appending -sqlite to SHA_SHORT"
+            IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite"
+          else
+            echo "Repo is not hydra, using default IMAGE_NAME"
+            IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}"
+          fi
+
+          # Output values for debugging
+          echo "Values to be set:"
+          echo "SHA_SHORT:  ${SHA_SHORT}"
+          echo "REPO_NAME:  ${REPO_NAME}"
+          echo "IMAGE_NAME: ${IMAGE_NAME}"
+
+          # Set GitHub Environment variables
+          echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}"
+          echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Build images
         shell: bash
         run: |
           IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Trivy
+        run: |
+          mkdir -p $HOME/.cache/trivy
+          echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV
+          echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+
       - name: Anchore Scanner
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v5
         id: grype-scan
         with:
-          image: oryd/keto:${{ env.SHA_SHORT }}
+          image: ${{ env.IMAGE_NAME }}
           fail-build: true
           severity-cutoff: high
           add-cpes-if-none: true
@@ -46,34 +85,38 @@ jobs:
           echo "::endgroup::"
       - name: Anchore upload scan SARIF report
         if: always()
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
-      #      - name: Kubescape scanner
-      #        uses: kubescape/github-action@main
-      #        id: kubescape
-      #        with:
-      #          image: oryd/keto:${{ env.SHA_SHORT }}
-      #          verbose: true
-      #          format: pretty-printer
-      #          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
-      #          severityThreshold: critical
+      - name: Kubescape scanner
+        uses: kubescape/github-action@main
+        id: kubescape
+        with:
+          image: ${{ env.IMAGE_NAME }}
+          verbose: true
+          format: pretty-printer
+          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
+          severityThreshold: critical
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/keto:${{ env.SHA_SHORT }}
+          image-ref: ${{ env.IMAGE_NAME }}
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
-          scanners: "vuln,secret,config"
+          scanners: "vuln,secret,misconfig"
+        env:
+          TRIVY_SKIP_JAVA_DB_UPDATE: "true"
+          TRIVY_DISABLE_VEX_NOTICE: "true"
+
       - name: Dockle Linter
-        uses: erzz/dockle-action@v1.3.2
+        uses: erzz/dockle-action@v1
         if: ${{ always() }}
         with:
-          image: oryd/keto:${{ env.SHA_SHORT }}
+          image: ${{ env.IMAGE_NAME }}
           exit-code: 42
           failure-threshold: high
       - name: Hadolint
@@ -90,5 +133,5 @@ jobs:
         shell: bash
         run: |
           echo "::group::Hadolint Scan Details"
-          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "${HADOLINT_RESULTS}" | jq '.'
           echo "::endgroup::"
