diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c683518..47439d5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -26,6 +26,10 @@ jobs: echo "GOTESTSUM_VERSION=$GOTESTSUM_VERSION" >> "$GITHUB_ENV" echo "HELM_VERSION=$HELM_VERSION" >> "$GITHUB_ENV" + - name: store short hash + run: | + echo "COMMIT_HASH=$(git describe --always --abbrev=8)" >> "$GITHUB_ENV" + - name: set up go uses: actions/setup-go@v5 with: @@ -53,14 +57,41 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: build images, don't push - if: github.ref_name != 'main' + - name: build images run: | devspace run build --skip-push + - name: run trivy - manager + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: ghcr.io/srl-labs/clabernetes/clabernetes-manager:${{ env.COMMIT_HASH }} + format: github + output: clabernetes-manager.sbom.json + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH + github-pat: ${{ secrets.GITHUB_TOKEN }} + + # note: the launcher is beyond hope for so many reasons, so... + # we'll skip running this on that guy and just hit the manager/ui :) + + - name: run trivy - ui + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: ghcr.io/srl-labs/clabernetes/clabernetes-ui:${{ env.COMMIT_HASH }} + format: github + output: clabernetes-ui.sbom.json + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH + github-pat: ${{ secrets.GITHUB_TOKEN }} + - name: build and push images and helm chart if: github.ref_name == 'main' run: | + # we already built but everything will be cached so just re-run to let devspace push them devspace run build helm registry login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 264e50f..66845c2 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -44,5 +44,18 @@ jobs: https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${{ env.GOLANGCI_LINT_VERSION }} - - name: run the linter + - name: run the linters run: make lint + + - name: run trivy - fs + uses: aquasecurity/trivy-action@0.24.0 + with: + scan-type: fs + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH + scanners: config + skip-dirs: ui/.next,charts,e2e + # we know launcher/dev/clabverter are using root user, its fine for now! + skip-files: build/clabverter.Dockerfile,build/launcher.Dockerfile,.develop/dev.Dockerfile diff --git a/build/ui.Dockerfile b/build/ui.Dockerfile index d09705c..6b39200 100644 --- a/build/ui.Dockerfile +++ b/build/ui.Dockerfile @@ -30,5 +30,6 @@ WORKDIR /clabernetes COPY --from=builder --chown=nonroot:nonroot /clabernetes/.next/standalone ./ COPY --from=builder --chown=nonroot:nonroot /clabernetes/.next/static ./.next/static +USER nonroot:nonroot CMD ["server.js"]