kms/.github/workflows/docker-scan.yml at fc67cc9ab5b6eb3dd863b8f554ddb9e73df9218b · zama-ai/kms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: docker-scan
on:
  pull_request:

permissions: {}

jobs:
  check-changes:
    name: docker-scan/check-changes
    # job permissions
    permissions:
      actions: read # Required to read workflow run information
      contents: read # Required to checkout repository code
      id-token: write # Required for OIDC token generation
      pull-requests: read # Required to read pull request information
    runs-on: ubuntu-latest
    outputs:
      # Each output indicates if files in a specific component were modified
      changed-dockerfile: ${{ steps.filter.outputs.dockerfile_files }}
      changed: ${{ steps.filter.outputs.dockerfile }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: true
      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        id: filter
        with:
          # Define paths that trigger specific component workflows
          # Changes to observability affect multiple components
          list-files: 'json'
          filters: |
            dockerfile:
              - 'docker/**/Dockerfile'

  scan-and-comment:
    name: docker-scan/scan-and-comment
    permissions:
      issues: write # Required to create comments on issues
      pull-requests: write # Required to create comments on pull requests
      packages: read # Required to read GitHub packages/container registry
    runs-on: ubuntu-latest
    needs: check-changes
    if: needs.check-changes.outputs.changed == 'true'
    strategy:
      matrix:
        dockerfile: ${{fromJson(needs.check-changes.outputs.changed-dockerfile)}}
    steps:
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          submodules: true
          token: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
          persist-credentials: false

      - name: Get Rust version
        env:
          GH_WORKSPACE: ${{ github.workspace }}
        run: |
          version="$(grep 'channel' "$GH_WORKSPACE/rust-toolchain.toml" | awk -F' = ' '{print $2}' | tr -d '"')"
          echo "RUST_IMAGE_VERSION=$version" >> "$GITHUB_ENV"

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
        with:
          platforms: linux/amd64

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Login to Chainguard Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: cgr.dev
          username: ${{ secrets.CGR_USERNAME }}
          password: ${{ secrets.CGR_PASSWORD }}

      - name: Docker Build and Push with Platform Tag
        id: build
        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
        env:
          RUNS_ON_S3_BUCKET_CACHE: gh-actions-cache-eu-west-3
          RUNS_ON_AWS_REGION: eu-west-3
        with:
          build-args: |
            RUST_IMAGE_VERSION=${{ env.RUST_IMAGE_VERSION }}
            TARGETARCH=amd64
          context: '.'
          secrets: BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
          file: ${{ matrix.dockerfile }}
          platforms: linux/amd64
          push: false
          pull: false
          load: true
          provenance: false
          sbom: false
          target: prod
          tags: |
            base:latest

      - name: Scan image with Trivy
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
        with:
          image-ref: base:latest
          format: 'table'
          severity: 'CRITICAL,HIGH'
          output: trivy-result.txt

      - name: Check Trivy result file
        run: cat trivy-result.txt

      - name: Format Trivy Scan Result
        run: |
          if [ -s trivy-result.txt ]; then
            echo -e "## Vulnerability Scan Results\n<details><summary>Details</summary>\n\n\`\`\`\n$(cat trivy-result.txt)\n\`\`\`\n</details>" > formatted-trivy-result.md
          else
            echo -e "## Vulnerability Scan Results\nNo vulnerabilities were detected." > formatted-trivy-result.md
          fi

      - name: Comment PR with Trivy scan results
        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
        env:
          GITHUB_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
        with:
          path: formatted-trivy-result.md

      - name: Clean up Trivy result file
        run: rm -f trivy-result.txt formatted-trivy-result.md