From 3dd78054d767661da203858f36b5735beae0d9ae Mon Sep 17 00:00:00 2001 From: Carl Montanari Date: Tue, 3 Sep 2024 10:35:40 -0700 Subject: [PATCH 1/4] chore: first pass trivy scan manager/ui images --- .github/workflows/build.yaml | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c683518..9123be6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -26,6 +26,10 @@ jobs: echo "GOTESTSUM_VERSION=$GOTESTSUM_VERSION" >> "$GITHUB_ENV" echo "HELM_VERSION=$HELM_VERSION" >> "$GITHUB_ENV" + - name: store short hash + run: | + echo "COMMIT_HASH=$(git describe --always --abbrev=8)" >> "$GITHUB_ENV" + - name: set up go uses: actions/setup-go@v5 with: @@ -53,14 +57,37 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: build images, don't push - if: github.ref_name != 'main' + - name: build images run: | devspace run build --skip-push + - name: run trivy - manager + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: ghcr.io/srl-labs/clabernetes/clabernetes-manager:${{ env.COMMIT_HASH }} + format: table + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH + + # note: the launcher is beyond hope for so many reasons, so... + # we'll skip running this on that guy and just hit the manager/ui :) + + - name: run trivy - ui + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: ghcr.io/srl-labs/clabernetes/clabernetes-ui:${{ env.COMMIT_HASH }} + format: table + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH + - name: build and push images and helm chart if: github.ref_name == 'main' run: | + # we already built but everything will be cached so just re-run to let devspace push them devspace run build helm registry login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io From 4895f0bb62b5820567a5740eab15e9a16ef03ca0 Mon Sep 17 00:00:00 2001 From: Carl Montanari Date: Tue, 3 Sep 2024 11:01:30 -0700 Subject: [PATCH 2/4] chore: add lint stage trivy fs check --- .github/workflows/build.yaml | 8 ++++++-- .github/workflows/lint.yaml | 14 +++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9123be6..47439d5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -65,11 +65,13 @@ jobs: uses: aquasecurity/trivy-action@0.24.0 with: image-ref: ghcr.io/srl-labs/clabernetes/clabernetes-manager:${{ env.COMMIT_HASH }} - format: table + format: github + output: clabernetes-manager.sbom.json exit-code: 1 ignore-unfixed: true vuln-type: os,library severity: CRITICAL,HIGH + github-pat: ${{ secrets.GITHUB_TOKEN }} # note: the launcher is beyond hope for so many reasons, so... # we'll skip running this on that guy and just hit the manager/ui :) @@ -78,11 +80,13 @@ jobs: uses: aquasecurity/trivy-action@0.24.0 with: image-ref: ghcr.io/srl-labs/clabernetes/clabernetes-ui:${{ env.COMMIT_HASH }} - format: table + format: github + output: clabernetes-ui.sbom.json exit-code: 1 ignore-unfixed: true vuln-type: os,library severity: CRITICAL,HIGH + github-pat: ${{ secrets.GITHUB_TOKEN }} - name: build and push images and helm chart if: github.ref_name == 'main' diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 264e50f..46bfb4b 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -44,5 +44,17 @@ jobs: https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${{ env.GOLANGCI_LINT_VERSION }} - - name: run the linter + - name: run the linters run: make lint + + - name: run trivy - fs + uses: aquasecurity/trivy-action@0.24.0 + with: + scan-type: fs + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH + scanners: config + skip-dirs: ui/.next,charts,e2e + skip-files: build/clabverter.Dockerfile,build/launcher.Dockerfile From 740a1ec2741c2e0eb8d2213be545835e0d9455a2 Mon Sep 17 00:00:00 2001 From: Carl Montanari Date: Tue, 3 Sep 2024 11:05:25 -0700 Subject: [PATCH 3/4] chore: extend skip to include dev dockerfile which we know is always misbehavin --- .github/workflows/lint.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 46bfb4b..66845c2 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -57,4 +57,5 @@ jobs: severity: CRITICAL,HIGH scanners: config skip-dirs: ui/.next,charts,e2e - skip-files: build/clabverter.Dockerfile,build/launcher.Dockerfile + # we know launcher/dev/clabverter are using root user, its fine for now! + skip-files: build/clabverter.Dockerfile,build/launcher.Dockerfile,.develop/dev.Dockerfile From f341ae8297ad5c424051b82ccb38a79041d37d3d Mon Sep 17 00:00:00 2001 From: Carl Montanari Date: Tue, 3 Sep 2024 11:29:28 -0700 Subject: [PATCH 4/4] fix: add nonroot user to ui dockerfile --- build/ui.Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/build/ui.Dockerfile b/build/ui.Dockerfile index d09705c..6b39200 100644 --- a/build/ui.Dockerfile +++ b/build/ui.Dockerfile @@ -30,5 +30,6 @@ WORKDIR /clabernetes COPY --from=builder --chown=nonroot:nonroot /clabernetes/.next/standalone ./ COPY --from=builder --chown=nonroot:nonroot /clabernetes/.next/static ./.next/static +USER nonroot:nonroot CMD ["server.js"]