Added pre-check/linters and security scanning

Sage-Bionetworks · Jul 25, 2024 · e605765 · e605765
1 parent f31746b
commit e605765
Show file tree

Hide file tree

Showing 6 changed files with 237 additions and 18 deletions.
diff --git a/.dockerfilelintrc b/.dockerfilelintrc
@@ -0,0 +1,6 @@
+---
+rules:
+  apt-get_missing_rm: off
+  apt-get_recommends: off
+  apt-get-upgrade: off
+  sudo_usage: off
diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
@@ -1,35 +1,94 @@
-# Workflow derived from https://github.com/r-lib/actions/tree/master/examples
-# Need help debugging build failures? Start at https://github.com/r-lib/actions#where-to-find-help
-
-name: Create and publish a Docker image
+---
+name: Run precommit and conditionally build container
 
 on:
   push:
-    branches: ['release*']
+    branches:
+      - '*'
+    tags:
+      - 'v[0-9]+\.[0-9]+\.[0-9]+'
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_PATH: ghcr.io/${{ github.repository }}
+  TARFILE_NAME: image.tar
+
 
 jobs:
-  build-and-push-to-dockerhub:
+  tests:
     runs-on: ubuntu-latest
     steps:
-      - name: Check out the repo
-        uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Log in to Docker Hub
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Static Analysis
+        uses: pre-commit/[email protected]
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@v4.1.1
         with:
-          images: sagebionetworks/shiny-base${{github.GITHUB_REF_NAME}}
+          images: ${{ env.IMAGE_PATH }}
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+      - name: Check that build works, save for scanning, but don't push yet
+        uses: docker/build-push-action@v6.4.0
         with:
           context: .
-          push: true
+          push: false
+          outputs: type=tar,dest=${{ env.TARFILE_NAME }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Upload tarball for use by Trivy job
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: ${{ env.TARFILE_NAME }}
+
+    outputs:
+      tags: ${{ steps.meta.outputs.tags }}
+      tarfile_artifact: ${{ env.TARFILE_NAME }}
+
+  trivy-scan:
+    needs: tests
+    uses: "./.github/workflows/trivy.yml"
+    with:
+      SOURCE_TYPE: tar
+      IMAGE_NAME: ${{ needs.tests.outputs.tags }}
+      TARFILE_NAME: ${{ needs.tests.outputs.tarfile_artifact }}
+      EXIT_CODE: 1
+
+  push-image:
+    if: ${{ github.event_name == 'push' }}
+    needs: [tests, trivy-scan]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Download tar file
+        id: tar-download
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: /tmp
+
+      - name: Load Docker image from tar
+        run: cat
+          ${{ steps.tar-download.outputs.download-path}}/${{ env.TARFILE_NAME}}
+          | docker import - ${{ needs.tests.outputs.tags }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Docker image
+        run: docker push ${{ needs.tests.outputs.tags }}
+...
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,81 @@
+---
+#
+# This workflow runs Trivy on a Docker image
+# It can pull the image from a container registry
+# or download a tar file.  The latter is used
+# to check a container image prior to publishing
+# to the registry.
+
+name: Run Trivy on a Docker image and push results to GitHub
+
+on:
+  workflow_call:
+    inputs:
+      SOURCE_TYPE: # 'tar' or 'image'
+        required: true
+        type: string
+      TARFILE_NAME: # only used if SOURCE_TYPE=='tar'
+        required: false
+        type: string
+      IMAGE_NAME:
+        required: true
+        type: string
+      EXIT_CODE:
+        required: false
+        type: number
+
+env:
+  sarif_file_name: trivy-results.sarif
+
+jobs:
+  trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download tar file
+        id: tar-download
+        uses: actions/download-artifact@v4
+        if: ${{ inputs.SOURCE_TYPE == 'tar' }}
+        with:
+          name: ${{ inputs.TARFILE_NAME }}
+          path: /tmp
+
+      - name: load docker image from tar file
+        if: ${{ inputs.SOURCE_TYPE == 'tar' }}
+        run: cat ${{ steps.tar-download.outputs.download-path
+          }}/${{ inputs.TARFILE_NAME
+          }} | docker import - ${{ inputs.IMAGE_NAME }}
+
+      - name: Run Trivy vulnerability scanner for any major issues
+        uses: aquasecurity/[email protected]
+        id: trivy
+        with:
+          image-ref: ${{ inputs.IMAGE_NAME }}
+          ignore-unfixed: true # skip vul'ns for which there is no fix
+          # list files to skip, each with a justification
+          #skip-files: |
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          # only output findings for configured severities
+          limit-severities-for-sarif: true
+          output: ${{ env.sarif_file_name  }}
+          exit-code: ${{ inputs.EXIT_CODE }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/[email protected]
+        # This is the recommended way to upload scan results
+        # after Trivy exits with HIGH/CRITICAL findings
+        # See https://github.com/aquasecurity/trivy-action?\
+        # tab=readme-ov-file#using-trivy-with-github-code-scanning
+        if: ${{ success() || steps.trivy.conclusion=='failure' }}
+        with:
+          sarif_file: ${{ env.sarif_file_name  }}
+          wait-for-processing: true
+...
diff --git a/.github/workflows/trivy_periodic_image_scan.yml b/.github/workflows/trivy_periodic_image_scan.yml
@@ -0,0 +1,22 @@
+---
+#
+# This workflow scans the published container images
+# for new vulnerabilities daily, publishing findings.
+# Findings will be associated with the 'main' branch
+# of the repo' in the GitHub Security tab.
+#
+name: Trivy Periodic Image Scan
+
+on:
+  schedule:
+    # run daily
+    - cron: "0 0 * * *"
+
+jobs:
+  trivy:
+    name: trivy-periodic-scan
+    uses: "./.github/workflows/trivy.yml"
+    with:
+      SOURCE_TYPE: image
+      IMAGE_NAME: ghcr.io/${{ github.repository }}:main
+...
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,39 @@
+repos:
+  - repo: https://github.com/awslabs/git-secrets
+    rev: b9e96b3212fa06aea65964ff0d5cda84ce935f38
+    hooks:
+      - id: git-secrets
+        entry: git-secrets
+        args: [--scan, --recursive]
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      # On Windows, git will convert all CRLF to LF,
+      # but only after all hooks are done executing.
+      # yamllint will fail before git has a chance to convert
+      # line endings, so it must be explicitly done before yamllint
+      - id: mixed-line-ending
+        args: ['--fix=lf']
+        description: Forces to replace line ending by the UNIX 'LF' character
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-json
+      - id: check-ast
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.29.0
+    hooks:
+      - id: yamllint
+        entry: yamllint -c .yamllint.yaml
+  - repo: https://github.com/Lucas-C/pre-commit-hooks
+    rev: v1.4.2
+    hooks:
+      - id: remove-tabs
+  - repo: https://github.com/sirosen/check-jsonschema
+    rev: 0.21.0
+    hooks:
+      - id: check-github-workflows
+      - id: check-github-actions
+  - repo: https://github.com/pryorda/dockerfilelint-precommit-hooks
+    rev: v0.1.0
+    hooks:
+      - id: dockerfilelint
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,12 @@
+#
+# List vulnerabilities flagged by Trivy but for which
+# the affected code is not used or the risk is acceptable.
+# Enter the ID of the vulnerability along with the
+# justification as comment, for example:
+#
+# # Accept the risk
+# CVE-2018-14618
+#
+# More here:
+# https://aquasecurity.github.io/trivy/v0.22.0/vulnerability/examples/filter/
+#