github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(security): add docker scout pr github action flow (#10557)

pull/10580/head
Oscar Zhou 2023-11-02 09:34:24 +13:00 committed by GitHub
parent c8bdf21d07
commit 4ffeefd267
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 125 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
.github/workflows/nightly-security-scan.yml vendored
View File

@ -105,7 +105,8 @@ jobs:
if: >- if: >-
github.ref == 'refs/heads/develop' github.ref == 'refs/heads/develop'
outputs: outputs:
image: ${{ steps.set-matrix.outputs.image_result }} image-trivy: ${{ steps.set-trivy-matrix.outputs.image_trivy_result }}
image-docker-scout: ${{ steps.set-docker-scout-matrix.outputs.image_docker_scout_result }}
steps: steps:
- name: scan vulnerabilities by Trivy - name: scan vulnerabilities by Trivy
uses: docker://docker.io/aquasec/trivy:latest uses: docker://docker.io/aquasec/trivy:latest
@ -113,27 +114,59 @@ jobs:
with: with:
args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop
- name: upload image security scan result as artifact - name: upload Trivy image security scan result as artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: image-security-scan-develop-result name: image-security-scan-develop-result
path: image-trivy.json path: image-trivy.json
- name: develop scan report export to html - name: develop Trivy scan report export to html
run: | run: |
$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-result") $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result")
- name: upload html file as artifact - name: upload html file as Trivy artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: html-image-result-${{github.run_id}} name: html-image-result-${{github.run_id}}
path: image-result.html path: image-trivy-result.html
- name: analyse vulnerabilities - name: analyse vulnerabilities from Trivy
id: set-matrix id: set-trivy-matrix
run: | run: |
result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix) result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix)
echo "image_result=${result}" >> $GITHUB_OUTPUT echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT
- name: scan vulnerabilities by Docker Scout
uses: docker/scout-action@v1
continue-on-error: true
with:
command: cves
image: portainerci/portainer:develop
sarif-file: image-docker-scout.json
dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: upload Docker Scout image security scan result as artifact
uses: actions/upload-artifact@v3
with:
name: image-security-scan-develop-result
path: image-docker-scout.json
- name: develop Docker Scout scan report export to html
run: |
$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
- name: upload html file as Docker Scout artifact
uses: actions/upload-artifact@v3
with:
name: html-image-result-${{github.run_id}}
path: image-docker-scout-result.html
- name: analyse vulnerabilities from Docker Scout
id: set-docker-scout-matrix
run: |
result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix)
echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT
result-analysis: result-analysis:
name: Analyse Scan Results name: Analyse Scan Results
@ -145,22 +178,26 @@ jobs:
matrix: matrix:
js: ${{fromJson(needs.client-dependencies.outputs.js)}} js: ${{fromJson(needs.client-dependencies.outputs.js)}}
go: ${{fromJson(needs.server-dependencies.outputs.go)}} go: ${{fromJson(needs.server-dependencies.outputs.go)}}
image: ${{fromJson(needs.image-vulnerability.outputs.image)}} image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}}
image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}}
steps: steps:
- name: display the results of js, Go, and image scan - name: display the results of js, Go, and image scan
run: | run: |
echo "${{ matrix.js.status }}" echo "${{ matrix.js.status }}"
echo "${{ matrix.go.status }}" echo "${{ matrix.go.status }}"
echo "${{ matrix.image.status }}" echo "${{ matrix.image-trivy.status }}"
echo "${{ matrix.image-docker-scout.status }}"
echo "${{ matrix.js.summary }}" echo "${{ matrix.js.summary }}"
echo "${{ matrix.go.summary }}" echo "${{ matrix.go.summary }}"
echo "${{ matrix.image.summary }}" echo "${{ matrix.image-trivy.summary }}"
echo "${{ matrix.image-docker-scout.summary }}"
- name: send message to Slack - name: send message to Slack
if: >- if: >-
matrix.js.status == 'failure' || matrix.js.status == 'failure' ||
matrix.go.status == 'failure' || matrix.go.status == 'failure' ||
matrix.image.status == 'failure' matrix.image-trivy.status == 'failure' ||
matrix.image-docker-scout.status == 'failure'
uses: slackapi/slack-github-action@v1.23.0 uses: slackapi/slack-github-action@v1.23.0
with: with:
payload: | payload: |
@ -196,7 +233,14 @@ jobs:
"type": "section", "type": "section",
"text": { "text": {
"type": "mrkdwn", "type": "mrkdwn",
"text": "*Image vulnerability check*: *${{ matrix.image.status }}*\n${{ matrix.image.summary }}\n" "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n"
} }
} }
] ]

86
.github/workflows/pr-security.yml vendored
View File

@ -8,7 +8,6 @@ on:
paths: paths:
- 'package.json' - 'package.json'
- 'go.mod' - 'go.mod'
- 'gruntfile.js'
- 'build/linux/Dockerfile' - 'build/linux/Dockerfile'
- 'build/linux/alpine.Dockerfile' - 'build/linux/alpine.Dockerfile'
- 'build/windows/Dockerfile' - 'build/windows/Dockerfile'
@ -142,7 +141,8 @@ jobs:
github.event.pull_request && github.event.pull_request &&
github.event.review.body == '/scan' github.event.review.body == '/scan'
outputs: outputs:
imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }} imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }}
imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }}
steps: steps:
- name: checkout code - name: checkout code
uses: actions/checkout@master uses: actions/checkout@master
@ -171,26 +171,26 @@ jobs:
with: with:
context: . context: .
file: build/linux/Dockerfile file: build/linux/Dockerfile
tags: trivy-portainer:${{ github.sha }} tags: local-portainer:${{ github.sha }}
outputs: type=docker,dest=/tmp/trivy-portainer-image.tar outputs: type=docker,dest=/tmp/local-portainer-image.tar
- name: load docker image - name: load docker image
run: | run: |
docker load --input /tmp/trivy-portainer-image.tar docker load --input /tmp/local-portainer-image.tar
- name: scan vulnerabilities by Trivy - name: scan vulnerabilities by Trivy
uses: docker://docker.io/aquasec/trivy:latest uses: docker://docker.io/aquasec/trivy:latest
continue-on-error: true continue-on-error: true
with: with:
args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }} args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress local-portainer:${{ github.sha }}
- name: upload image security scan result as artifact - name: upload Trivy image security scan result as artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: image-security-scan-feature-result name: image-security-scan-feature-result
path: image-trivy.json path: image-trivy.json
- name: download artifacts from develop branch built by nightly scan - name: download Trivy artifacts from develop branch built by nightly scan
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
@ -202,21 +202,65 @@ jobs:
echo "null" > ./image-trivy-develop.json echo "null" > ./image-trivy-develop.json
fi fi
- name: pr vs develop scan report comparison export to html - name: pr vs develop Trivy scan report comparison export to html
run: | run: |
$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result") $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result")
- name: upload html file as artifact - name: upload html file as Trivy artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: html-image-result-compare-to-develop-${{github.run_id}} name: html-image-result-compare-to-develop-${{github.run_id}}
path: image-result.html path: image-trivy-result.html
- name: analyse different vulnerabilities against develop branch - name: analyse different vulnerabilities against develop branch by Trivy
id: set-diff-matrix id: set-diff-trivy-matrix
run: | run: |
result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix) result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
echo "image_diff_result=${result}" >> $GITHUB_OUTPUT echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT
- name: scan vulnerabilities by Docker Scout
uses: docker/scout-action@v1
continue-on-error: true
with:
command: cves
image: local-portainer:${{ github.sha }}
sarif-file: image-docker-scout.json
dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: upload Docker Scout image security scan result as artifact
uses: actions/upload-artifact@v3
with:
name: image-security-scan-feature-result
path: image-docker-scout.json
- name: download Docker Scout artifacts from develop branch built by nightly scan
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mv ./image-docker-scout.json ./image-docker-scout-feature.json
(gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
if [[ -e ./image-docker-scout.json ]]; then
mv ./image-docker-scout.json ./image-docker-scout-develop.json
else
echo "null" > ./image-docker-scout-develop.json
fi
- name: pr vs develop Docker Scout scan report comparison export to html
run: |
$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
- name: upload html file as Docker Scout artifact
uses: actions/upload-artifact@v3
with:
name: html-image-result-compare-to-develop-${{github.run_id}}
path: image-docker-scout-result.html
- name: analyse different vulnerabilities against develop branch by Docker Scout
id: set-diff-docker-scout-matrix
run: |
result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix)
echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT
result-analysis: result-analysis:
name: Analyse Scan Result Against develop Branch name: Analyse Scan Result Against develop Branch
@ -229,18 +273,22 @@ jobs:
matrix: matrix:
jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}} jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}}
godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}} godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}} imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}}
imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}}
steps: steps:
- name: check job status of diff result - name: check job status of diff result
if: >- if: >-
matrix.jsdiff.status == 'failure' || matrix.jsdiff.status == 'failure' ||
matrix.godiff.status == 'failure' || matrix.godiff.status == 'failure' ||
matrix.imagediff.status == 'failure' matrix.imagediff-trivy.status == 'failure' ||
matrix.imagediff-docker-scout.status == 'failure'
run: | run: |
echo "${{ matrix.jsdiff.status }}" echo "${{ matrix.jsdiff.status }}"
echo "${{ matrix.godiff.status }}" echo "${{ matrix.godiff.status }}"
echo "${{ matrix.imagediff.status }}" echo "${{ matrix.imagediff-trivy.status }}"
echo "${{ matrix.imagediff-docker-scout.status }}"
echo "${{ matrix.jsdiff.summary }}" echo "${{ matrix.jsdiff.summary }}"
echo "${{ matrix.godiff.summary }}" echo "${{ matrix.godiff.summary }}"
echo "${{ matrix.imagediff.summary }}" echo "${{ matrix.imagediff-trivy.summary }}"
echo "${{ matrix.imagediff-docker-scout.summary }}"
exit 1 exit 1