Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ci): add image scanning workflow #1161

Merged
merged 37 commits into from
Apr 21, 2024
Merged

feat(ci): add image scanning workflow #1161

merged 37 commits into from
Apr 21, 2024

Conversation

p5
Copy link
Member

@p5 p5 commented Apr 19, 2024
edited
Loading

Creates a reusable workflow to scan images. This scan generates a SBOM and checks that SBOM for known vulnerabilities.

The only way I was able to merge the outputs of each matrix run was to use artifacts. It's certainly not clean, but it works.

We needed to exclude some directories during the SBOM generation because Syft crashes when scanning too large images.

This PR only enables the scans for Bluefin until we finalise it. Once we confirm everything is working, I will apply the same to Aurora and possibly Bazzite.

@p5 p5 changed the title [WIP] feature: add scaffolding for image scanning workflow [WIP] feature: add image scanning workflow Apr 19, 2024
p5 added 24 commits April 19, 2024 23:02
@p5
Enable some builds to debug build container outputs
66b1501
@p5
Skip long-running build steps
0416d3a
@p5
Enable builds and create workflow output
a50ed5a
@p5
Unsure why I enabled the builds...
f0c8e57
@p5
Tie it all together
dfaf874
@p5
Fix outputs and enable single nvidia build
9e0f9e2
@p5
Try reworking the jq command to output array rather than space-separa…
e174a29 
…ted strings
@p5
Minify JSON
82ed6b7
@p5
Try dummy array
e8a824e
@p5
Fix output ref|
c84ab17
@p5
Revert to real outputs
20f78c4
@p5
Share images through job artifacts
057b156
@p5
Fix file names to be included in artifacts
78131fe
@p5
Add a merge before downloadingi artifacts
ceed21e
@p5
Use unique file names
a3e5c10
@p5
Fix upload-artifact target file
808ce62
@p5
Another attempt at targeting correct file
be1e73a
@p5
Create job output in correct format
dd71e89
@p5
Use @ to separate image name and digest
6f88990
@p5
Disable fail-fast and fix 38 digest
0404a7d
@p5
Clear storage space before generating SBOM
fe438fa
@p5
Cleanup artifacts, enable verbose syft and exclude ostree files from …
0edc9ca 
…syft
@p5
Enable syft debug logging
50ab63f
@p5
Remove incorrect verbose arg
ca96412
@p5 p5 changed the title [WIP] feature: add image scanning workflow feature: add image scanning workflow Apr 20, 2024
@p5 p5 changed the title feature: add image scanning workflow feat: add image scanning workflow Apr 20, 2024
@p5 p5 marked this pull request as ready for review April 20, 2024 13:09
@p5 p5 requested a review from castrojo as a code owner April 20, 2024 13:09
p5
p5 commented Apr 20, 2024
View reviewed changes
.github/workflows/reusable-image-scan.yml
Copy link
Member Author

@p5 p5 Apr 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should centralise this configuration in ublue-os/main or somewhere before implementing scanning in other repos. There's nothing bluefin-specific in here, so no need to copy & paste it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can start here as a proof of concept.

We could then move it as it's own repo and have it be a callable action if we genericize it enough.

Copy link
Member Author

@p5 p5 Apr 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I plan to add things like uploading the SERIF files to GitHub, upload SBOMs to R2 etc. But that all comes later. Right now, I just want to build the files and push them to job artifacts in only this repo.

None of this will be specific to ublue and/or bluefin

@p5 p5 requested review from bsherman and noelmiller April 20, 2024 18:29
@p5 p5 changed the title feat: add image scanning workflow feat(ci): add image scanning workflow Apr 20, 2024
@m2Giles m2Giles added this pull request to the merge queue Apr 21, 2024
Merged via the queue into main with commit 244b269 Apr 21, 2024
73 checks passed
@m2Giles m2Giles deleted the sbom-generation-image-scanning branch April 21, 2024 20:10
@github-actions github-actions bot mentioned this pull request Apr 21, 2024
Merged
awesomekyle pushed a commit to awesomekyle/bluefin that referenced this pull request Apr 24, 2024
@p5
feat(ci): add image scanning workflow (ublue-os#1161)
2d9128b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@m2Giles m2Giles m2Giles approved these changes

@castrojo castrojo Awaiting requested review from castrojo castrojo is a code owner

@bsherman bsherman Awaiting requested review from bsherman

@noelmiller noelmiller Awaiting requested review from noelmiller

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@p5 @m2Giles