-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
1. Provide cross-platform/standalone Dockerfile 2. release.yml to publish SLSA-capable artifacts 3. Provide build target, test-image, build-image and push-image to sync with rancher. 4. Switch to golang:1.22 as its base image
- Loading branch information
1 parent
a129806
commit 176464d
Showing
6 changed files
with
245 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
data/cvedb filter=lfs diff=lfs merge=lfs -text |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Release | ||
|
||
on: | ||
push: | ||
tags: | ||
- 'v*' | ||
|
||
jobs: | ||
|
||
publish: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
# write is needed for: | ||
# - OIDC for cosign's use in ecm-distro-tools/publish-image. | ||
# - Read vault secrets in rancher-eio/read-vault-secrets. | ||
id-token: write | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
- name: Load Secrets from Vault | ||
uses: rancher-eio/read-vault-secrets@main | ||
with: | ||
secrets: | | ||
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ; | ||
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ; | ||
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; | ||
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; | ||
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD | ||
- name: Parse target tag | ||
run: | | ||
TARGET=${{ github.ref_name }} | ||
echo "TAG=${TARGET#v}" >> $GITHUB_ENV | ||
- name: Download vulnerability database | ||
run: | | ||
wget https://${{ secrets.VULNDB_SERVER }}/${TAG}/cvedb.regular -O data/cvedb.regular | ||
- name: Publish manifest | ||
uses: rancher/ecm-distro-tools/actions/publish-image@master | ||
with: | ||
image: neuvector-scanner | ||
tag: ${{ env.TAG }} | ||
platforms: linux/amd64,linux/arm64 | ||
|
||
public-registry: docker.io | ||
public-repo: neuvector | ||
public-username: ${{ env.DOCKER_USERNAME }} | ||
public-password: ${{ env.DOCKER_PASSWORD }} | ||
|
||
prime-registry: ${{ env.PRIME_REGISTRY }} | ||
prime-repo: rancher | ||
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} | ||
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} | ||
- name: Login to registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: docker.io | ||
username: ${{ secrets.DOCKER_USERNAME }} | ||
password: ${{ secrets.DOCKER_PASSWORD }} | ||
- name: Publish neuvector | ||
run: | | ||
docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/neuvector-scanner:6 docker.io/${{ github.repository_owner }}/neuvector-scanner:${TAG} | ||
docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:${TAG} docker.io/${{ github.repository_owner }}/neuvector-scanner:${TAG} | ||
docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:6 docker.io/${{ github.repository_owner }}/neuvector-scanner:6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -29,4 +29,5 @@ _testmain.go | |
*.bak | ||
|
||
/scanner | ||
data/cvedb.regular | ||
/task/scannerTask_test1.go |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Git LFS file not shown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
ARG VULNDB_VERSION=3.592 | ||
ARG VULNDB_CHECKSUM=c19321b848a384bb83dc410faa4a269e7f5d9cc40eb7187d35ada7af70f3a10f | ||
ARG SIGSTORE_VERSION=86e52391a84c8b9bfceac957de7de4b3177604bf | ||
# | ||
# Builder | ||
# | ||
FROM registry.suse.com/bci/golang:1.22 AS builder | ||
ARG VERSION | ||
ARG VULNDB_CHECKSUM | ||
ARG SIGSTORE_VERSION | ||
|
||
RUN zypper in -y wget | ||
|
||
# Build controller | ||
COPY common/ /src/common | ||
COPY cvetools/ /src/cvetools | ||
COPY data/ /src/data | ||
COPY detectors/ /src/detectors | ||
COPY monitor/ /src/monitor | ||
COPY task/ /src/task | ||
COPY vendor/ /src/vendor | ||
COPY Makefile go.mod go.sum *.go /src/ | ||
|
||
WORKDIR /src | ||
RUN git clone https://github.com/neuvector/sigstore-interface --single-branch sigstore-interface && cd sigstore-interface && git checkout ${SIGSTORE_VERSION} && make | ||
RUN if [ -f "data/cvedb.regular" ]; then echo "using cvedb.regular"; echo "$VULNDB_CHECKSUM data/cvedb.regular" | sha256sum --check --status; else echo "using cvedb"; cp "data/cvedb" "data/cvedb.regular"; fi | ||
RUN make slsa_all | ||
|
||
# | ||
# Base images | ||
# | ||
FROM registry.suse.com/bci/bci-micro:15.6 AS micro | ||
FROM registry.suse.com/bci/bci-base:15.6 AS base | ||
|
||
COPY --from=micro / /chroot/ | ||
RUN zypper refresh && zypper --installroot /chroot -n in --no-recommends \ | ||
ca-certificates procps grep && \ | ||
zypper --installroot /chroot clean -a && \ | ||
rm -rf /chroot/var/log/ | ||
|
||
RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch | ||
|
||
RUN mkdir -p /chroot/etc/neuvector/certs/internal/ && mkdir -p /chroot/share && touch /chroot/share/.nvcontainer | ||
|
||
# | ||
# Artifact | ||
# | ||
FROM micro | ||
WORKDIR / | ||
COPY --from=base /chroot/ / | ||
COPY --from=builder /src/stage / | ||
|
||
ARG COMMIT | ||
ARG VERSION | ||
ARG VULNDB_VERSION | ||
ARG SIGSTORE_VERSION | ||
|
||
LABEL name="scanner" \ | ||
vendor="SUSE Security" \ | ||
version=${VERSION} \ | ||
release=${VERSION} \ | ||
neuvector.image="neuvector/scanner" \ | ||
neuvector.role="scanner" \ | ||
neuvector.rev="${COMMIT}" \ | ||
neuvector.vuln_db="${VULNDB_VERSION}" \ | ||
neuvector.sigstore="${SIGSTORE_VERSION}" \ | ||
"io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \ | ||
"io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/scanner/${VERSION}/README.md" \ | ||
"org.opencontainers.image.description"="SUSE Security Scanner" \ | ||
"org.opencontainers.image.title"="SUSE Security Scanner" \ | ||
"org.opencontainers.image.source"="https://github.com/neuvector/scanner/" \ | ||
"org.opencontainers.image.version"="${VERSION}" \ | ||
"org.opensuse.reference"="neuvector/scanner:${VERSION}" | ||
|
||
ENTRYPOINT ["/usr/local/bin/monitor"] |