chore: update security scanners (#1107)

ory · May 30, 2023 · 1857ba3 · 1857ba3
1 parent 3276408
commit 1857ba3
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 47 deletions.
diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -14,74 +14,71 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Env
         id: vars
         shell: bash
         run: |
-          echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-          echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Build images
         shell: bash
         run: |
-          touch oathkeeper
-          DOCKER_BUILDKIT=1 docker build -t oryd/oathkeeper:${{ steps.vars.outputs.sha_short }} --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} .
-          DOCKER_BUILDKIT=1 docker build -t oryd/oathkeeper:alpine-${{ steps.vars.outputs.sha_short }} --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} -f Dockerfile-alpine .
-          rm oathkeeper
+          IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
       - name: Anchore Scanner
         uses: anchore/scan-action@v3
         id: grype-scan
         with:
-          image: oryd/oathkeeper:${{ steps.vars.outputs.sha_short }}
+          image: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine
           fail-build: true
           severity-cutoff: high
-          debug: false
-          acs-report-enable: true
-      - name: Anchore Scanner
-        uses: anchore/scan-action@v3
-        id: grype-scan-alpine
-        with:
-          image: oryd/oathkeeper:alpine-${{ steps.vars.outputs.sha_short }}
-          fail-build: true
-          severity-cutoff: high
-          debug: false
-          acs-report-enable: true
+          add-cpes-if-none: true
       - name: Inspect action SARIF report
         shell: bash
         if: ${{ always() }}
         run: |
           echo "::group::Anchore Scan Details"
           jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }}
-          jq '.runs[0].results' ${{ steps.grype-scan-alpine.outputs.sarif }}
           echo "::endgroup::"
-      - name: Trivy Scanner
-        uses: aquasecurity/trivy-action@master
-        if: ${{ always() }}
+      - name: Anchore upload scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          image-ref: oryd/oathkeeper:${{ steps.vars.outputs.sha_short }}
-          format: "table"
-          exit-code: "42"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          severity: "CRITICAL,HIGH"
-      - name: Trivy Scanner 2
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/oathkeeper:alpine-${{ steps.vars.outputs.sha_short }}
+          image-ref: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
+          scanners: "vuln,secret,config"
       - name: Dockle Linter
         uses: erzz/[email protected]
         if: ${{ always() }}
         with:
-          image: oryd/oathkeeper:${{ steps.vars.outputs.sha_short }}
+          image: oryd/oathkeeper:${{ env.SHA_SHORT }}-alpine
           exit-code: 42
-          failure-threshold: fatal
+          failure-threshold: high
+      - name: Hadolint
+        uses: hadolint/[email protected]
+        id: hadolint
+        if: ${{ always() }}
+        with:
+          dockerfile: Dockerfile-alpine
+          verbose: true
+          format: "json"
+          failure-threshold: "error"
+      - name: View Hadolint results
+        if: ${{ always() }}
+        shell: bash
+        run: |
+          echo "::group::Hadolint Scan Details"
+          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "::endgroup::"
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,20 @@
 # To compile this image manually run:
 #
 # $ make docker
-FROM alpine:3.17.3
+FROM alpine:3.18 as base
 
 RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates
 
+#############
 FROM scratch
 
-COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY oathkeeper /usr/bin/oathkeeper
 
 USER 1000
 
+EXPOSE 4455
+EXPOSE 4456
+
 ENTRYPOINT ["oathkeeper"]
 CMD ["serve"]
diff --git a/Dockerfile-alpine b/Dockerfile-alpine
@@ -1,7 +1,7 @@
 # To compile this image manually run:
 #
 # $ make docker
-FROM alpine:3.17.3
+FROM alpine:3.18
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
@@ -11,5 +11,8 @@ COPY oathkeeper /usr/bin/oathkeeper
 
 USER ory
 
+EXPOSE 4455
+EXPOSE 4456
+
 ENTRYPOINT ["oathkeeper"]
 CMD ["serve"]
diff --git a/Dockerfile-dc b/Dockerfile-dc
@@ -1,17 +1,26 @@
-FROM golang:1.19-alpine3.17
+FROM golang:1.20-alpine3.18 AS builder
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
 
 RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates
 
-ADD . /app
+COPY . /app
 WORKDIR /app
 ENV GO111MODULE on
 RUN go mod download && go mod tidy
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build
 
-USER ory
+############
+FROM alpine:3.18 AS runner
 
-ENTRYPOINT ["/app/oathkeeper"]
+RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates
+
+COPY --from=builder /app/oathkeeper /usr/bin/oathkeeper
+USER 1000
+
+EXPOSE 4455
+EXPOSE 4456
+
+ENTRYPOINT ["/usr/bin/oathkeeper"]
 CMD ["serve"]
diff --git a/Makefile b/Makefile
@@ -1,8 +1,9 @@
 SHELL=/bin/bash -o pipefail
 
-export GO111MODULE := on
-export PATH := .bin:${PATH}
-export PWD := $(shell pwd)
+export GO111MODULE	:= on
+export PATH					:= .bin:${PATH}
+export PWD					:= $(shell pwd)
+export IMAGE_TAG		:= $(if $(IMAGE_TAG),$(IMAGE_TAG),dev)
 
 GO_DEPENDENCIES = github.com/ory/go-acc \
 				  github.com/go-swagger/go-swagger/cmd/swagger \
@@ -82,8 +83,8 @@ install:
 .PHONY: docker
 docker:
 	CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build
-	docker build -t oryd/oathkeeper:dev .
-	docker build -t oryd/oathkeeper:dev-alpine -f Dockerfile-alpine .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG} --progress=plain .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -t oryd/oathkeeper:${IMAGE_TAG}-alpine --progress=plain -f Dockerfile-alpine .
 	rm oathkeeper
 
 docs/cli: .bin/clidoc