diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml new file mode 100644 index 000000000..101293e96 --- /dev/null +++ b/.github/workflows/scan-vulns.yaml @@ -0,0 +1,73 @@ +name: scan_vulns +on: + push: + paths-ignore: + - "docs/**" + - "library/**" + - "**.md" + pull_request: + paths-ignore: + - "docs/**" + - "library/**" + - "**.md" + workflow_dispatch: + +permissions: read-all + +jobs: + govulncheck: + name: "Run govulncheck" + runs-on: ubuntu-22.04 + timeout-minutes: 15 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: "1.22" + check-latest: true + - uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2 + + scan_vulnerabilities: + name: "[Trivy] Scan for vulnerabilities" + runs-on: ubuntu-22.04 + timeout-minutes: 15 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Check out code into the Go module directory + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 + + - name: Download trivy + run: | + pushd $(mktemp -d) + wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz + tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz + echo "$(pwd)" >> $GITHUB_PATH + env: + TRIVY_VERSION: "0.46.0" + + - name: Run trivy on git repository + run: | + trivy fs --format table --ignore-unfixed --scanners vuln . + + - name: Build docker images + run: | + make e2e-build-local-ratify-image + make e2e-build-crd-image + - name: Run trivy on images for all severity + run: | + for img in "localbuild:test" "localbuildcrd:test"; do + trivy image --ignore-unfixed --vuln-type="os,library" "${img}" + done + - name: Run trivy on images and exit on HIGH severity + run: | + for img in "localbuild:test" "localbuildcrd:test"; do + trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}" + done \ No newline at end of file diff --git a/Makefile b/Makefile index 0b3b0bb6d..7c16b2aa9 100644 --- a/Makefile +++ b/Makefile @@ -522,10 +522,12 @@ e2e-deploy-gatekeeper: e2e-helm-install ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper --version ${GATEKEEPER_VERSION} --name-template=gatekeeper --namespace ${GATEKEEPER_NAMESPACE} --create-namespace --set enableExternalData=true --set validatingWebhookTimeoutSeconds=5 --set mutatingWebhookTimeoutSeconds=2 --set auditInterval=0 --set externaldataProviderResponseCacheTTL=1s e2e-build-crd-image: - docker build --progress=plain --no-cache --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t localbuildcrd:test ./charts/ratify/crds + docker build --progress=plain --no-cache --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t localbuildcrd:test ./charts/ratify/crds + +load-build-crd-image: kind load docker-image --name kind localbuildcrd:test -e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-inlinecert-setup e2e-build-crd-image e2e-build-local-ratify-base-image +e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-inlinecert-setup e2e-build-crd-image load-build-crd-image e2e-build-local-ratify-base-image printf "{\n\t\"auths\": {\n\t\t\"registry:5000\": {\n\t\t\t\"auth\": \"`echo "${TEST_REGISTRY_USERNAME}:${TEST_REGISTRY_PASSWORD}" | tr -d '\n' | base64 -i -w 0`\"\n\t\t}\n\t}\n}" > mount_config.json ./.staging/helm/linux-amd64/helm install ${RATIFY_NAME} \ @@ -549,7 +551,7 @@ e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosi rm mount_config.json -e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup e2e-inlinecert-setup e2e-build-crd-image e2e-build-local-ratify-image e2e-helm-deploy-ratify +e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup e2e-inlinecert-setup e2e-build-crd-image load-build-crd-image e2e-build-local-ratify-image load-local-ratify-image e2e-helm-deploy-ratify e2e-build-local-ratify-base-image: docker build --progress=plain --no-cache \ @@ -565,6 +567,8 @@ e2e-build-local-ratify-image: --build-arg build_vulnerabilityreport=true \ -f ./httpserver/Dockerfile \ -t localbuild:test . + +load-local-ratify-image: kind load docker-image --name kind localbuild:test e2e-helmfile-deploy-released-ratify: @@ -630,7 +634,7 @@ e2e-helm-deploy-redis: e2e-helm-deploy-dapr kubectl apply -f test/testdata/dapr/dapr-redis-secret.yaml -n ${GATEKEEPER_NAMESPACE} kubectl apply -f test/testdata/dapr/dapr-redis.yaml -n ${GATEKEEPER_NAMESPACE} -e2e-helm-deploy-ratify-replica: e2e-helm-deploy-redis e2e-notation-setup e2e-build-crd-image e2e-build-local-ratify-image +e2e-helm-deploy-ratify-replica: e2e-helm-deploy-redis e2e-notation-setup e2e-build-crd-image load-build-crd-image e2e-build-local-ratify-image load-local-ratify-image printf "{\n\t\"auths\": {\n\t\t\"registry:5000\": {\n\t\t\t\"auth\": \"`echo "${TEST_REGISTRY_USERNAME}:${TEST_REGISTRY_PASSWORD}" | tr -d '\n' | base64 -i -w 0`\"\n\t\t}\n\t}\n}" > mount_config.json ./.staging/helm/linux-amd64/helm install ${RATIFY_NAME} \