From 42272a24216d908950f9ff256d774440b07c8c77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Ara=C3=BAjo=20Gomes?= Date: Fri, 25 Oct 2024 12:41:04 +0100 Subject: [PATCH 1/8] update Dockerfile and tests to use the same user as the image --- .github/workflows/go-ci-integration.yml | 2 +- .github/workflows/go-e2e.yaml | 3 ++- Dockerfile | 8 ++++---- e2e/utils/helper.go | 2 ++ 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index 328fc24c2f6..5db92fa8406 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -49,7 +49,7 @@ jobs: run: echo ${{ steps.docker_build.outputs.digest }} - name: Run docker image and generate results.json run: | - docker run -v ${PWD}/assets/queries:/path \ + docker run --user $(id -u):$(id -g) -v ${PWD}/assets/queries:/path \ kics:${{ github.sha }} scan \ --silent \ --disable-full-descriptions \ diff --git a/.github/workflows/go-e2e.yaml b/.github/workflows/go-e2e.yaml index 873b85d2b02..c80645ed0c5 100644 --- a/.github/workflows/go-e2e.yaml +++ b/.github/workflows/go-e2e.yaml @@ -96,9 +96,10 @@ jobs: - name: Get docker name run: | DOCKER_NAME=$(echo ${{ matrix.kics-docker }} | sed 's/\//-/') + echo "DOCKER_NAME=$DOCKER_NAME" >> $GITHUB_ENV - name: Archive test report if: always() uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 with: - name: e2e-tests-report-$DOCKER_NAME + name: e2e-tests-report-${{ env.DOCKER_NAME }} path: e2e-report.html diff --git a/Dockerfile b/Dockerfile index 4c62257adba..6901de29fef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,17 +21,15 @@ RUN go mod download -x COPY . . # Build the Go app -RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \ +RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \ -ldflags "-s -w -X github.com/Checkmarx/kics/v2/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/v2/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/v2/internal/constants.SentryDSN=${SENTRY_DSN} -X github.com/Checkmarx/kics/v2/internal/constants.BaseURL=${DESCRIPTIONS_URL}" \ -a -installsuffix cgo \ -o bin/kics cmd/console/main.go -USER nonroot - # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/git@sha256:d007b76406e3e77d8f35b26620ffd1f82d71c61d0c900530c2ac4666a96822b8 +FROM cgr.dev/chainguard/git@sha256:409a3061913f7f4f42ee04c33327254615374656a5b86596c229c9065e0524c7 ENV TERM xterm-256color @@ -45,6 +43,8 @@ COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ WORKDIR /app/bin +USER 65532 + # Healthcheck the container ENV PATH $PATH:/app/bin diff --git a/e2e/utils/helper.go b/e2e/utils/helper.go index fb39e28b360..4a277f5e435 100644 --- a/e2e/utils/helper.go +++ b/e2e/utils/helper.go @@ -1,6 +1,7 @@ package utils import ( + "fmt" "os" "os/exec" "path/filepath" @@ -96,6 +97,7 @@ func runKicsDocker(kicsArgs []string, descriptionServer, kicsDockerImage string) } baseDir := filepath.Dir(cwd) dockerArgs := []string{"run", "-e", descriptionServer, "--add-host=host.docker.internal:host-gateway", + "--user", fmt.Sprintf("%d:%d", os.Getuid(), os.Getgid()), "-v", baseDir + ":/path", kicsDockerImage} completeArgs := append(dockerArgs, kicsArgs...) //nolint return "docker", completeArgs From 400be5519aa28765708e28782f87b9a4be76f692 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Ara=C3=BAjo=20Gomes?= Date: Fri, 25 Oct 2024 12:43:43 +0100 Subject: [PATCH 2/8] fix cxone vulnerabilities --- go.mod | 30 +++++++++++++++--------------- go.sum | 58 ++++++++++++++++++++++++++++------------------------------ 2 files changed, 43 insertions(+), 45 deletions(-) diff --git a/go.mod b/go.mod index 4f1ce661f55..bca54cc177f 100644 --- a/go.mod +++ b/go.mod @@ -50,10 +50,10 @@ require ( github.com/yargevad/filepathx v1.0.0 github.com/zclconf/go-cty v1.14.4 golang.org/x/net v0.28.0 - golang.org/x/text v0.17.0 + golang.org/x/text v0.18.0 golang.org/x/tools v0.22.0 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.16.1 + helm.sh/helm/v3 v3.16.2 mvdan.cc/sh/v3 v3.8.0 ) @@ -63,7 +63,7 @@ require ( cloud.google.com/go/iam v1.1.6 // indirect cloud.google.com/go/storage v1.38.0 // indirect dario.cat/mergo v1.0.1 // indirect - github.com/Microsoft/hcsshim v0.12.5 // indirect + github.com/Microsoft/hcsshim v0.12.8 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aws/aws-sdk-go v1.44.295 // indirect github.com/aws/smithy-go v1.20.2 // indirect @@ -128,7 +128,7 @@ require ( github.com/boombuler/barcode v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect - github.com/containerd/containerd v1.7.21 // indirect + github.com/containerd/containerd v1.7.23 // indirect github.com/cyphar/filepath-securejoin v0.3.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/docker/cli v27.1.1+incompatible // indirect @@ -219,27 +219,27 @@ require ( github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect - golang.org/x/crypto v0.26.0 // indirect + golang.org/x/crypto v0.27.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.23.0 // indirect - golang.org/x/term v0.23.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect golang.org/x/time v0.6.0 // indirect google.golang.org/grpc v1.66.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/api v0.31.0 - k8s.io/apiextensions-apiserver v0.31.0 // indirect - k8s.io/apimachinery v0.31.0 - k8s.io/apiserver v0.31.0 // indirect - k8s.io/cli-runtime v0.31.0 // indirect - k8s.io/client-go v0.31.0 - k8s.io/component-base v0.31.0 // indirect + k8s.io/api v0.31.1 + k8s.io/apiextensions-apiserver v0.31.1 // indirect + k8s.io/apimachinery v0.31.1 + k8s.io/apiserver v0.31.1 // indirect + k8s.io/cli-runtime v0.31.1 // indirect + k8s.io/client-go v0.31.1 + k8s.io/component-base v0.31.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect - k8s.io/kubectl v0.31.0 // indirect + k8s.io/kubectl v0.31.1 // indirect k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect oras.land/oras-go v1.2.5 // indirect sigs.k8s.io/controller-runtime v0.14.6 diff --git a/go.sum b/go.sum index faf6db7b0da..7a798d0a75f 100644 --- a/go.sum +++ b/go.sum @@ -209,8 +209,8 @@ github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8 github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0= -github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8= +github.com/Microsoft/hcsshim v0.12.8 h1:BtDWYlFMcWhorrvSSo2M7z0csPdw6t7no/C3FsSvqiI= +github.com/Microsoft/hcsshim v0.12.8/go.mod h1:cibQ4BqhJ32FXDwPdQhKhwrwophnh3FuT4nwQZF907w= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -294,12 +294,10 @@ github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= -github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0= -github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE= +github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= +github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= github.com/containerd/containerd v1.6.26 h1:VVfrE6ZpyisvB1fzoY8Vkiq4sy+i5oF4uk7zu03RaHs= github.com/containerd/containerd v1.6.26/go.mod h1:I4TRdsdoo5MlKob5khDJS2EPT1l1oMNaE2MBm6FrwxM= -github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= -github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4= @@ -1110,8 +1108,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= -golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1119,8 +1117,8 @@ golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= -golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= -golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1133,8 +1131,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1437,8 +1435,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= -helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= +helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o= +helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1446,26 +1444,26 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= -k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= -k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= -k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= -k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= -k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= -k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY= -k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk= -k8s.io/cli-runtime v0.31.0 h1:V2Q1gj1u3/WfhD475HBQrIYsoryg/LrhhK4RwpN+DhA= -k8s.io/cli-runtime v0.31.0/go.mod h1:vg3H94wsubuvWfSmStDbekvbla5vFGC+zLWqcf+bGDw= -k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= -k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= -k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs= -k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= +k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= +k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= +k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= +k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= +k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/kubectl v0.31.0 h1:kANwAAPVY02r4U4jARP/C+Q1sssCcN/1p9Nk+7BQKVg= -k8s.io/kubectl v0.31.0/go.mod h1:pB47hhFypGsaHAPjlwrNbvhXgmuAr01ZBvAIIUaI8d4= +k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= +k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= mvdan.cc/sh/v3 v3.8.0 h1:ZxuJipLZwr/HLbASonmXtcvvC9HXY9d2lXZHnKGjFc8= From 198a12773f67290754adbd8da02030402295e106 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Ara=C3=BAjo=20Gomes?= Date: Fri, 25 Oct 2024 12:50:18 +0100 Subject: [PATCH 3/8] fix grype --- .grype.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.grype.yaml b/.grype.yaml index 1e526650ca5..c441beea209 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -7,3 +7,5 @@ ignore: location: "/usr/bin/terraform" - package: location: "/usr/local/bin/terraform" +exclude: + - './.github/scripts/report/**' # test files \ No newline at end of file From 29890d78996c0fc3237284ca8b62d38cf8c08394 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Ara=C3=BAjo=20Gomes?= Date: Fri, 25 Oct 2024 12:52:16 +0100 Subject: [PATCH 4/8] update kics internal release workflow --- .github/workflows/release-kics-cxone.yaml | 44 ++++++++++++++++++ .../release-kics-queries-repo-branch.yaml | 45 ------------------- 2 files changed, 44 insertions(+), 45 deletions(-) create mode 100644 .github/workflows/release-kics-cxone.yaml delete mode 100644 .github/workflows/release-kics-queries-repo-branch.yaml diff --git a/.github/workflows/release-kics-cxone.yaml b/.github/workflows/release-kics-cxone.yaml new file mode 100644 index 00000000000..ed5f559835f --- /dev/null +++ b/.github/workflows/release-kics-cxone.yaml @@ -0,0 +1,44 @@ +name: release-kics-cxone +on: + release: + types: + - published +jobs: + create-branch: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up Git credentials + run: | + git config --global user.name "KICSBot" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config --global url."https://${{ secrets.CHECKMARXDEV_GIT_TOKEN }}@github.com".insteadOf "https://github.com" + + - name: Clone internal repository + run: | + cd .. + git clone https://github.com/CheckmarxDev/${{ secrets.CHECKMARXDEV_KICS_RELEASER }}.git + + - name: Create new branch for release ${{ github.event.release.name }} + run: | + cd ../${{ secrets.CHECKMARXDEV_KICS_RELEASER }} + git checkout --orphan ${{ github.event.release.name }} + find . -mindepth 1 \( -not -path './.*' -not -name 'README.md' -o -name '.gitignore' \) -delete + + - name: Copy queries to new branch + run: | + mkdir -p ../${{ secrets.CHECKMARXDEV_KICS_RELEASER }}/kics-queries + rsync -av --exclude='*/test/*' --exclude='common/*' ./assets/queries/ ../${{ secrets.CHECKMARXDEV_KICS_RELEASER }}/kics-queries/ + + - name: Modify circleci configuration + run: | + sed -i 's/BRANCH_NAME_TEMPLATE_TO_REPLACE/${{ github.event.release.name }}/g' ../${{ secrets.CHECKMARXDEV_KICS_RELEASER }}/.circleci/config.yml + + - name: Push branch + run: | + cd ../${{ secrets.CHECKMARXDEV_KICS_RELEASER }} + git add . + git commit -m "AUTO: Add queries from release ${{ github.event.release.name }} to ${{ secrets.CHECKMARXDEV_KICS_RELEASER }}" + git push origin ${{ github.event.release.name }} \ No newline at end of file diff --git a/.github/workflows/release-kics-queries-repo-branch.yaml b/.github/workflows/release-kics-queries-repo-branch.yaml deleted file mode 100644 index 07a11e75d71..00000000000 --- a/.github/workflows/release-kics-queries-repo-branch.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: release-kics-queries-repo-branch -on: - release: - types: - - published -jobs: - create-branch: - runs-on: ubuntu-latest - env: - REPO_NAME: "kics-queries-repo" - steps: - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Set up Git credentials - run: | - git config --global user.name "KICSBot" - git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --global url."https://${{ secrets.CHECKMARXDEV_GIT_TOKEN }}@github.com".insteadOf "https://github.com" - - - name: Clone kics-queries-repo from CheckmarxDev - run: | - cd .. - git clone https://github.com/CheckmarxDev/$REPO_NAME.git - - - name: Create new branch for release ${{ github.event.release.name }} - run: | - cd ../$REPO_NAME - git checkout -b ${{ github.event.release.name }} - - - name: Copy queries to new branch - run: | - mkdir -p ../$REPO_NAME/kics-queries - rsync -av --exclude='*/test/*' --exclude='common/*' ./assets/queries/ ../$REPO_NAME/kics-queries/ - - - name: Modify circleci configuration - run: | - sed -i 's/branch_name_template_to_replace/${{ github.event.release.name }}/g' ../$REPO_NAME/.circleci/config.yml - - - name: Push branch - run: | - cd ../$REPO_NAME - git add . - git commit -m "Add queries from release ${{ github.event.release.name }} to $REPO_NAME" - git push origin ${{ github.event.release.name }} From f04647d9b12a11a3b7c1743ac19cb2d24629ccc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Ara=C3=BAjo=20Gomes?= Date: Fri, 25 Oct 2024 14:14:04 +0100 Subject: [PATCH 5/8] add OCI labels --- .github/workflows/release-dkr-image.yml | 32 ++++++++++++++++--- .../release-docker-github-actions.yaml | 26 +++++++++++++-- .github/workflows/release-nightly.yml | 32 ++++++++++++++++--- 3 files changed, 77 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml index 35117f4cbb2..dff543f11e7 100644 --- a/.github/workflows/release-dkr-image.yml +++ b/.github/workflows/release-dkr-image.yml @@ -41,14 +41,33 @@ jobs: image: tonistiigi/binfmt:latest platforms: linux/amd64,linux/arm64 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Get current date + run: echo "CREATED_AT=$(date --rfc-3339=seconds)" >> $GITHUB_ENV + - name: Docker meta + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: "checkmarx/kics" + labels: | + org.opencontainers.image.title=KICS + org.opencontainers.image.version=${{ steps.get-version.outputs.version }} + org.opencontainers.image.vendor=Checkmarx + org.opencontainers.image.authors=KICS + org.opencontainers.image.description=Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. + org.opencontainers.image.documentation=https://docs.kics.io + org.opencontainers.image.url=https://github.com/Checkmarx/kics + org.opencontainers.image.source=https://github.com/Checkmarx/kics + org.opencontainers.image.licenses=Apache-2.0 + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.created=${{ env.CREATED_AT }} - name: Push alpine to Docker Hub - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 id: build_alpine with: context: . @@ -60,9 +79,10 @@ jobs: COMMIT=${{ github.sha }} SENTRY_DSN=${{ secrets.SENTRY_DSN }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} + labels: ${{ steps.meta.outputs.labels }} - name: Build and push debian to Docker Hub id: build_debian - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . file: ./docker/Dockerfile.debian @@ -74,9 +94,10 @@ jobs: COMMIT=${{ github.sha }} SENTRY_DSN=${{ secrets.SENTRY_DSN }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} + labels: ${{ steps.meta.outputs.labels }} - name: Build and push ubi8 to Docker Hub id: build_ubi8 - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . file: ./docker/Dockerfile.ubi8 @@ -88,6 +109,7 @@ jobs: COMMIT=${{ github.sha }} SENTRY_DSN=${{ secrets.SENTRY_DSN }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} + labels: ${{ steps.meta.outputs.labels }} # TODO: dockerhub api does not support PAT yet # https://github.com/docker/roadmap/issues/115#issuecomment-891694974 # https://github.com/docker/roadmap/issues/115 diff --git a/.github/workflows/release-docker-github-actions.yaml b/.github/workflows/release-docker-github-actions.yaml index cb2b87d578a..102e8f7639d 100644 --- a/.github/workflows/release-docker-github-actions.yaml +++ b/.github/workflows/release-docker-github-actions.yaml @@ -26,14 +26,33 @@ jobs: image: tonistiigi/binfmt:latest platforms: linux/amd64,linux/arm64 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Get current date + run: echo "CREATED_AT=$(date --rfc-3339=seconds)" >> $GITHUB_ENV + - name: Docker meta + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: "checkmarx/kics" + labels: | + org.opencontainers.image.title=KICS + org.opencontainers.image.version=${{ github.event.inputs.version }} + org.opencontainers.image.vendor=Checkmarx + org.opencontainers.image.authors=KICS + org.opencontainers.image.description=Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. + org.opencontainers.image.documentation=https://docs.kics.io + org.opencontainers.image.url=https://github.com/Checkmarx/kics + org.opencontainers.image.source=https://github.com/Checkmarx/kics + org.opencontainers.image.licenses=Apache-2.0 + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.created=${{ env.CREATED_AT }} - name: Push Github Action Image to Docker Hub - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 id: build_gh_action with: context: . @@ -45,6 +64,7 @@ jobs: COMMIT=${{ github.sha }} SENTRY_DSN=${{ secrets.SENTRY_DSN }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} + labels: ${{ steps.meta.outputs.labels }} - name: Check out the repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 013fdab20a7..fc6adbccbd9 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -152,15 +152,34 @@ jobs: image: tonistiigi/binfmt:latest platforms: linux/amd64,linux/arm64 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Get current date + run: echo "CREATED_AT=$(date --rfc-3339=seconds)" >> $GITHUB_ENV + - name: Docker meta + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: "checkmarx/kics" + labels: | + org.opencontainers.image.title=KICS + org.opencontainers.image.version=nightly-${{ needs.pre_release_job.outputs.sha8 }} + org.opencontainers.image.vendor=Checkmarx + org.opencontainers.image.authors=KICS + org.opencontainers.image.description=Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. + org.opencontainers.image.documentation=https://docs.kics.io + org.opencontainers.image.url=https://github.com/Checkmarx/kics + org.opencontainers.image.source=https://github.com/Checkmarx/kics + org.opencontainers.image.licenses=Apache-2.0 + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.created=${{ env.CREATED_AT }} - name: Push alpine to Docker Hub id: build_alpine - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . push: true @@ -170,9 +189,10 @@ jobs: VERSION=nightly-${{ needs.pre_release_job.outputs.sha8 }} COMMIT=${{ github.sha }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} + labels: ${{ steps.meta.outputs.labels }} - name: Build and push debian to Docker Hub id: build_debian - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . file: ./docker/Dockerfile.debian @@ -183,9 +203,10 @@ jobs: VERSION=nightly-${{ needs.pre_release_job.outputs.sha8 }} COMMIT=${{ github.sha }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} + labels: ${{ steps.meta.outputs.labels }} - name: Build and push ubi8 to Docker Hub id: build_ubi8 - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . file: ./docker/Dockerfile.ubi8 @@ -196,6 +217,7 @@ jobs: VERSION=nightly-${{ needs.pre_release_job.outputs.sha8 }} COMMIT=${{ github.sha }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} + labels: ${{ steps.meta.outputs.labels }} - name: Create Pull Request uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 with: From 914d919c60378f118c1dca7a0c5fec6f39bc61e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Ara=C3=BAjo=20Gomes?= Date: Fri, 25 Oct 2024 16:17:58 +0100 Subject: [PATCH 6/8] remove unused gh actions --- .github/workflows/release-apispec.yml | 196 ------------------ .../workflows/release-dkr-image-for-tag.yml | 112 ---------- 2 files changed, 308 deletions(-) delete mode 100644 .github/workflows/release-apispec.yml delete mode 100644 .github/workflows/release-dkr-image-for-tag.yml diff --git a/.github/workflows/release-apispec.yml b/.github/workflows/release-apispec.yml deleted file mode 100644 index d41daa8d666..00000000000 --- a/.github/workflows/release-apispec.yml +++ /dev/null @@ -1,196 +0,0 @@ -name: goreleaser-apispec - -on: - workflow_dispatch: - -jobs: - goreleaser: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Set short hash - id: shorthash - run: echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-8)" - - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2 - if: always() - with: - github-token: ${{ secrets.KICS_BOT_PAT }} - webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} - card-layout-start: cozy - card-layout-exit: complete - show-on-start: true - show-on-exit: true - custom-facts: | - - name: APISpec Release Commit - value: ${{ steps.shorthash.outputs.sha8 }} - custom-actions: | - - name: View CI Logs - value: https://github.com/Checkmarx/kics/actions/runs/${{ github.run_id }}" - - name: View HEAD Commit - value: https://github.com/Checkmarx/kics/commit/${{ github.sha }} - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: 1.23.x - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 #v5.1.0 - with: - version: v0.160.0 - args: release --rm-dist --snapshot --skip-validate --config="./release/.goreleaser-apispec.yml" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SENTRY_DSN: ${{ secrets.SENTRY_DSN }} - DESCRIPTIONS_URL: ${{ secrets.DESCRIPTIONS_URL }} - APISCANNER: "true" - - name: delete release - uses: dev-drprasad/delete-tag-and-release@82600feb9527126eca69833f07bafe53279bd9b4 # v1.1 - with: - delete_release: true # default: false - tag_name: apispec # tag name to delete - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Create Release - id: create_release - uses: actions/create-release@v1.1.4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: apispec - release_name: apispec-${{ steps.shorthash.outputs.sha8 }} - draft: false - prerelease: true - - name: Display assets - run: | - ls -l /home/runner/work/kics/kics/dist - - name: Upload Release Asset Linux - id: upload-release-asset-linux - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: /home/runner/work/kics/kics/dist/kics_apispec_linux_x64.tar.gz - asset_name: kics_apispec-release_linux_amd64.tar.gz - asset_content_type: application/gzip - - name: Upload Release Asset Darwin - id: upload-release-asset-darwin - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: /home/runner/work/kics/kics/dist/kics_apispec_darwin_x64.tar.gz - asset_name: kics_apispec-release_darwin_amd64.tar.gz - asset_content_type: application/gzip - - name: Upload Release Asset Windows - id: upload-release-asset-windows - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: /home/runner/work/kics/kics/dist/kics_apispec_windows_x64.zip - asset_name: kics_apispec-release_windows_amd64.zip - asset_content_type: application/zip - - name: Upload Release Asset Checksum - id: upload-release-asset-checksums - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps - asset_path: /home/runner/work/kics/kics/dist/kics_apispec_checksums.txt - asset_name: kics_apispec-release_checksums.txt - asset_content_type: text/plain - push_to_registry: - name: Push Docker image to Docker Hub - runs-on: ubuntu-latest - steps: - - name: Check out the repo - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2 - if: always() - with: - github-token: ${{ secrets.KICS_BOT_PAT }} - webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} - card-layout-start: cozy - card-layout-exit: complete - show-on-start: true - show-on-exit: true - custom-facts: | - - name: APISpec Release Commit - value: ${{ steps.shorthash.outputs.sha8 }} - custom-actions: | - - name: View CI Logs - value: https://github.com/Checkmarx/kics/actions/runs/${{ github.run_id }}" - - name: View HEAD Commit - value: https://github.com/Checkmarx/kics/commit/${{ github.sha }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - name: Push alpine to Docker Hub - id: build_alpine - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 - with: - context: . - push: true - file: ./docker/Dockerfile.apispec - tags: checkmarx/kics:apispec,checkmarx/kics:apispec-alpine - build-args: | - VERSION=apipsec-${{ steps.shorthash.outputs.sha8 }} - COMMIT=${{ github.sha }} - DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} - APISCANNER="true" - - name: Build and push debian to Docker Hub - id: build_debian - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 - with: - context: . - file: ./docker/Dockerfile.apispec.debian - push: true - tags: checkmarx/kics:apispec-debian,checkmarx/kics:apispec-debian-latest - build-args: | - VERSION=apipsec-${{ steps.shorthash.outputs.sha8 }} - COMMIT=${{ github.sha }} - DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} - APISCANNER="true" - - name: Export Image Digests - run: | - VERSION=apispec - - COMMIT_SHA8=${{ steps.shorthash.outputs.sha8 }} - DATE=$(date +'%Y-%m-%d') - DIGEST=${{ steps.build_alpine.outputs.digest }} - ALPINE_DIGEST=${{ steps.build_alpine.outputs.digest }} - DEBIAN_DIGEST=${{ steps.build_debian.outputs.digest }} - - echo "scratch,${COMMIT_SHA8},${DATE},${DIGEST}" >> docs/docker/apispec.csv - echo "alpine,${COMMIT_SHA8},${DATE},${ALPINE_DIGEST}" >> docs/docker/apispec.csv - echo "debian,${COMMIT_SHA8},${DATE},${DEBIAN_DIGEST}" >> docs/docker/apispec.csv - - uses: actions/setup-python@v4 - with: - python-version: 3.x - - name: Generate .md table - run: | - pip install csvtomd - csvtomd docs/docker/apispec.csv > docs/docker/apispec.md - - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 - with: - title: "docs(kicsbot): update images digest" - token: ${{ secrets.KICS_BOT_PAT }} - commit-message: "docs(kicsbot): update images digest" - delete-branch: true - branch: feature/kicsbot-update-queries-docs - body: | - **Automated Changes** - Updating docker images digests - Triggered by SHA: _${{ github.sha }}_ - labels: documentation diff --git a/.github/workflows/release-dkr-image-for-tag.yml b/.github/workflows/release-dkr-image-for-tag.yml deleted file mode 100644 index f1d37aeabff..00000000000 --- a/.github/workflows/release-dkr-image-for-tag.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: release-manual-docker-tag-latest - -on: - workflow_dispatch: - inputs: - tag: - description: "Git Tag" - required: true - latest: - description: "true if image is latest" - default: "false" - -jobs: - push_to_registry: - name: Push Docker image to Docker Hub - runs-on: ubuntu-latest - env: - DOCKER_CLI_EXPERIMENTAL: "enabled" - steps: - - name: Check out the repo - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.inputs.tag }} - - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2 - if: always() - with: - github-token: ${{ secrets.KICS_BOT_PAT }} - webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} - card-layout-start: cozy - card-layout-exit: complete - show-on-start: true - show-on-exit: true - custom-actions: | - - name: View CI Logs - value: https://github.com/Checkmarx/kics/actions/runs/${{ github.run_id }} - - name: View HEAD Commit - value: https://github.com/Checkmarx/kics/commit/${{ github.sha }} - - name: Prepare - id: prep - run: | - DOCKER_IMAGE=Checkmarx/kics - VERSION=${{ github.event.inputs.tag }} - TAGS="${DOCKER_IMAGE}:${VERSION}" - ALPINE_TAGS="${TAGS}-alpine" - DEBIAN_TAGS="${TAGS}-debian" - UBI8_TAGS="${TAGS}-ubi8" - - if [ "${{ github.event.inputs.latest }}" = "true" ]; then - TAGS=${TAGS},${DOCKER_IMAGE}:latest - ALPINE_TAGS="{ALPINE_TAGS},${DOCKER_IMAGE}:alpine" - DEBIAN_TAGS="{DEBIAN_TAGS},${DOCKER_IMAGE}:debian" - UBI8_TAGS="{UBI8_TAGS},${DOCKER_IMAGE}:ubi8" - fi - - echo ::set-output name=tags::${TAGS} - echo ::set-output name=alpine_tags::${ALPINE_TAGS} - echo ::set-output name=debian_tags::${DEBIAN_TAGS} - echo ::set-output name=ubi8_tags::${UBI8_TAGS} - - name: Set up QEMU - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v2 - with: - image: tonistiigi/binfmt:latest - platforms: linux/amd64,linux/arm64 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - name: Push alpine to Docker Hub - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 - with: - context: . - push: true - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.prep.outputs.tags }},${{ steps.prep.outputs.alpine_tags }} - build-args: | - VERSION=${{ github.event.inputs.tag }} - COMMIT=${{ github.sha }} - SENTRY_DSN=${{ secrets.SENTRY_DSN }} - DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} - - name: Push debian to Docker Hub - if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" - id: build_debian - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 - with: - context: . - file: ./docker/Dockerfile.debian - push: true - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.prep.outputs.debian_tags }} - build-args: | - VERSION=${{ github.event.inputs.tag }} - COMMIT=${{ github.sha }} - SENTRY_DSN=${{ secrets.SENTRY_DSN }} - DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} - - name: Push ubi8 to Docker Hub - if: ${{ hashFiles('./docker/Dockerfile.ubi8') }} != "" - id: build_ubi8 - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 - with: - context: . - file: ./docker/Dockerfile.ubi8 - push: true - platforms: linux/amd64 - tags: ${{ steps.prep.outputs.ubi8_tags }} - build-args: | - VERSION=${{ github.event.inputs.tag }} - COMMIT=${{ github.sha }} - SENTRY_DSN=${{ secrets.SENTRY_DSN }} - DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} From 44fbc1c0c05d42cda891445654890a349088861e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Ara=C3=BAjo=20Gomes?= Date: Mon, 28 Oct 2024 00:03:57 +0000 Subject: [PATCH 7/8] replace branch name in gh actions --- .github/workflows/release-kics-cxone.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-kics-cxone.yaml b/.github/workflows/release-kics-cxone.yaml index ed5f559835f..88222571f63 100644 --- a/.github/workflows/release-kics-cxone.yaml +++ b/.github/workflows/release-kics-cxone.yaml @@ -35,6 +35,7 @@ jobs: - name: Modify circleci configuration run: | sed -i 's/BRANCH_NAME_TEMPLATE_TO_REPLACE/${{ github.event.release.name }}/g' ../${{ secrets.CHECKMARXDEV_KICS_RELEASER }}/.circleci/config.yml + sed -i 's/BRANCH_NAME_TEMPLATE_TO_REPLACE/${{ github.event.release.name }}/g' ../${{ secrets.CHECKMARXDEV_KICS_RELEASER }}/.github/workflows/*.yaml - name: Push branch run: | From 7c67ba5e8f6b8f0bd80ff265444e417f5ca188f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rui=20Ara=C3=BAjo=20Gomes?= Date: Mon, 28 Oct 2024 00:07:07 +0000 Subject: [PATCH 8/8] upgrade images --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6901de29fef..94d2257003a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/go@sha256:1e17e06119fc26b78a9a2208aeab6209f9ef90b6a19f3fc69d4cc581e70d09bf as build_env +FROM cgr.dev/chainguard/go@sha256:ef5ed415d03d60169f72db591ac2f7fc3f8dd8de388956dd9355793601544463 as build_env # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app @@ -29,7 +29,7 @@ RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \ # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/git@sha256:409a3061913f7f4f42ee04c33327254615374656a5b86596c229c9065e0524c7 +FROM cgr.dev/chainguard/git@sha256:0663e8c8a5c6fcad6cc2c08e7668d7b46f7aee025a923cee19f69475e187752a ENV TERM xterm-256color