From c7396d57508992b734492afbfcd4e0e1806ab6ed Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Thu, 8 Feb 2024 14:25:29 -0800 Subject: [PATCH 01/22] enable support for buildx Signed-off-by: ashnamehrotra --- Dockerfile | 2 +- action.yaml | 17 ++++++++--------- entrypoint.sh | 15 ++++++++++++--- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 558d723..2e9d16c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN apt-get update && \ tee /etc/apt/sources.list.d/docker.list > /dev/null && \ # Install Docker apt-get update && \ - apt-get install -y docker-ce docker-ce-cli containerd.io --no-install-recommends + apt-get install -y docker-ce docker-ce-cli docker-buildx-plugin containerd.io --no-install-recommends # Install Copa RUN curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${copa_version}/copa_${copa_version}_linux_amd64.tar.gz && \ diff --git a/action.yaml b/action.yaml index 0bc767a..ded5d99 100644 --- a/action.yaml +++ b/action.yaml @@ -22,6 +22,7 @@ inputs: description: "Copa version to use" output: description: "Output filename" + default: "output.json" format: description: "Output format" default: "openvex" @@ -32,14 +33,6 @@ outputs: runs: using: "composite" steps: - - name: docker run buildkitd - shell: bash - run: | - if [ -z "${{ inputs.buildkit-version }}" ]; then - docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:latest --addr tcp://0.0.0.0:8888 - else - docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:${{ inputs.buildkit-version }} --addr tcp://0.0.0.0:8888 - fi - name: docker run copa-action id: copa-action shell: bash @@ -50,4 +43,10 @@ runs: else version="${{ inputs.copa-version }}" fi - docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} + + if [ -z "${{ inputs.buildkit-version }}" ]; then + docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="/var/run/docker.sock",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ashnam/copa-action:test" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} + else + docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:${{ inputs.buildkit-version }} --addr tcp://0.0.0.0:8888 + docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="/var/run/docker.sock",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ashnam/copa-action:test" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} ${{ inputs.buildkit-version }} + fi diff --git a/entrypoint.sh b/entrypoint.sh index bb3b784..cd095d1 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,7 +6,7 @@ patched_tag=$3 timeout=$4 output_file=$5 format=$6 - +buildkitd_container=$7 # parse image into image name image_no_tag=$(echo "$image" | cut -d':' -f1) @@ -19,8 +19,18 @@ else output="--format $format --output ./data/"$output_file"" fi +# check if buildkit container is set +if [ -z "$buildkitd_container" ] +then + docker buildx create --name=copa-action + docker buildx use --default copa-action + buildkit="--addr buildx://copa-action" +else + buildkit="--addr tcp://127.0.0.1:8888" +fi + # run copa to patch image -if copa patch -i "$image" -r ./data/"$report" -t "$patched_tag" --addr tcp://127.0.0.1:8888 --timeout $timeout $output; +if copa patch -i "$image" -r ./data/"$report" -t "$patched_tag" $buildkit --timeout $timeout $output; then patched_image="$image_no_tag:$patched_tag" echo "patched-image=$patched_image" >> "$GITHUB_OUTPUT" @@ -28,4 +38,3 @@ else echo "Error patching image $image with copa" exit 1 fi - From ad52fa11a520a39c19750665565ce72139ab9011 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Thu, 8 Feb 2024 14:25:41 -0800 Subject: [PATCH 02/22] modify build test Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e018659..b0406c2 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -43,7 +43,6 @@ jobs: - name: Bats Test run: | - docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888 docker build --build-arg copa_version=${COPA_VERSION} -t copa-action . docker run --net=host \ --mount=type=bind,source=/tmp,target=/data \ From e8b770af64dcd6e51307433c677808f766a41326 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Thu, 8 Feb 2024 15:40:51 -0800 Subject: [PATCH 03/22] allow for custom socket input and clean code Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 2 +- action.yaml | 15 ++++++++++----- entrypoint.sh | 35 +++++++++++++++++++++++------------ 3 files changed, 34 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b0406c2..0cca027 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -49,6 +49,6 @@ jobs: --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ --name=copa-action \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'output.json' 'openvex' + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'output.json' 'openvex' 'buildx' docker images bats --print-output-on-failure ./test/test.bats diff --git a/action.yaml b/action.yaml index ded5d99..3443447 100644 --- a/action.yaml +++ b/action.yaml @@ -26,6 +26,8 @@ inputs: format: description: "Output format" default: "openvex" + custom-socket: + description: "custom socket address if setting up containerd image store" outputs: patched-image: description: 'Image reference of patched image' @@ -33,10 +35,11 @@ outputs: runs: using: "composite" steps: - - name: docker run copa-action + - name: Docker run copa-action id: copa-action shell: bash run : | + # check for copa version, else use latest if [ -z "${{ inputs.copa-version }}" ]; then latest_tag=$(curl --retry 5 -s "https://api.github.com/repos/project-copacetic/copacetic/releases/latest" | jq -r '.tag_name') version=${latest_tag:1} @@ -44,9 +47,11 @@ runs: version="${{ inputs.copa-version }}" fi - if [ -z "${{ inputs.buildkit-version }}" ]; then - docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="/var/run/docker.sock",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ashnam/copa-action:test" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} - else + if [ -n "{{ inputs.custom-socket}}"]; then + docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="${{ inputs.custom-socket }}",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} + elif [ -m "${{ inputs.buildkit-version }}" ]; then docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:${{ inputs.buildkit-version }} --addr tcp://0.0.0.0:8888 - docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="/var/run/docker.sock",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ashnam/copa-action:test" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} ${{ inputs.buildkit-version }} + docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="/var/run/docker.sock",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} "buildkit-container" + else + docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="/var/run/docker.sock",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} "buildx" fi diff --git a/entrypoint.sh b/entrypoint.sh index cd095d1..425e81f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,6 @@ -#!/bin/sh +#!/bin/sh + +set -ex; image=$1 report=$2 @@ -6,7 +8,8 @@ patched_tag=$3 timeout=$4 output_file=$5 format=$6 -buildkitd_container=$7 +connection_format=$7 + # parse image into image name image_no_tag=$(echo "$image" | cut -d':' -f1) @@ -19,18 +22,26 @@ else output="--format $format --output ./data/"$output_file"" fi -# check if buildkit container is set -if [ -z "$buildkitd_container" ] -then - docker buildx create --name=copa-action - docker buildx use --default copa-action - buildkit="--addr buildx://copa-action" -else - buildkit="--addr tcp://127.0.0.1:8888" -fi +# check selected method of connection +case "$connection_format" in + # through a buildx instance (allows for patching private images) + "buildx") + docker buildx create --name=copa-action + docker buildx use --default copa-action + connection="--addr buildx://copa-action" + ;; + # through a running buildkit container + "buildkit-container") + connection="--addr tcp://127.0.0.1:8888" + ;; + # none specified = through default docker buildkit endpoint (allows for patching local and private images) + *) + connection="" + ;; +esac # run copa to patch image -if copa patch -i "$image" -r ./data/"$report" -t "$patched_tag" $buildkit --timeout $timeout $output; +if copa patch -i "$image" -r ./data/"$report" -t "$patched_tag" $connection --timeout $timeout $output; then patched_image="$image_no_tag:$patched_tag" echo "patched-image=$patched_image" >> "$GITHUB_OUTPUT" From 25154c45a528295393a27a6e1ae1d824ac324f7b Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Thu, 8 Feb 2024 15:41:21 -0800 Subject: [PATCH 04/22] remove teardown from test Signed-off-by: ashnamehrotra --- test/test.bats | 4 ---- 1 file changed, 4 deletions(-) diff --git a/test/test.bats b/test/test.bats index be4310f..a596fb9 100755 --- a/test/test.bats +++ b/test/test.bats @@ -2,10 +2,6 @@ load helpers -teardown_file() { - docker stop buildkitd -} - @test "Check patched image exists" { docker images id=$(docker images --quiet 'nginx:1.21.6-patched') From 6efdf568b06e63ce4fa848728ff2fa6987706e72 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Fri, 9 Feb 2024 12:09:08 -0800 Subject: [PATCH 05/22] code cleanup and documentation Signed-off-by: ashnamehrotra --- README.md | 64 ++++++++++++++++++++++++++++++++++++++++++--------- action.yaml | 21 +++++++++++------ entrypoint.sh | 10 ++++---- 3 files changed, 72 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 8610f14..42b0d61 100644 --- a/README.md +++ b/README.md @@ -7,16 +7,19 @@ Copacetic Action is supported with Copa version 0.3.0 and later. ## Inputs -| Name | Type | Required | Default | Description | -| ------------------ | ------ | -------- | --------- | ------------------------------------------------------ | -| `image` | String | True | | Image reference to patch | -| `image-report` | String | True | | Trivy JSON vulnerability report of the image to patch | -| `patched-tag` | String | True | | Patched image tag | -| `timeout` | String | False | `5m` | Timeout for `copa patch` | -| `buildkit-version` | String | False | `latest` | Buildkit version | -| `copa-version` | String | False | `latest` | Copa version | -| `output` | String | False | | Output filename (available with copa v0.5.0 and later) | -| `format` | String | False | `openvex` | Output format (available with copa v0.5.0 and later) | +| Name | Type | Required | Default | Description | +| ------------------ | ------ | -------- | --------- | -------------------------------------------------------------------------- | +| `image` | String | True | | Image reference to patch | +| `image-report` | String | True | | Trivy JSON vulnerability report of the image to patch | +| `patched-tag` | String | True | | Patched image tag | +| `timeout` | String | False | `5m` | Timeout for `copa patch` | +| `buildkit-version` | String | False | `latest` | Buildkit version | +| `copa-version` | String | False | `latest` | Copa version | +| `output` | String | False | | Output filename (available with copa-action v0.6.1 and later) | +| `format` | String | False | `openvex` | Output format (available with copa-action v0.6.1 and later) | +| `custom-socket` | String | False | | Custom Docker socket address (available with copa-action v0.6.1 and later) | + +**Note: Copacetic released version's features do not align with Copa Action versions.** ## Outputs @@ -24,6 +27,45 @@ Copacetic Action is supported with Copa version 0.3.0 and later. | --------------- | ------ | ------------------------------------ | | `patched-image` | String | Image reference of the patched image | +## Ways to connect to Buildkit +*Custom Buildkit connection to patch local or private images is only available with Copa-Action versions 0.6.1 and later. For all earlier Copa-Action versions, Buildkit in a container is the default approach.* + +### Option 1: Connect to buildx instance (default) +By default, Copa Action creates its own Buildx instance to connect to for patching public and private images. + +### Option 2: Connect using defaults through a custom socket +To patch local images, `copa` is limited to using `docker`'s built-in buildkit service, and must use the [`containerd image store`](https://docs.docker.com/storage/containerd/) feature. To enable this in your Github workflow, use `ghaction-setup-docker`'s [daemon-configuration](https://github.com/crazy-max/ghaction-setup-docker#daemon-configuration) to set `"containerd-snapshotter": true`. + +Example: +``` yaml + - name: Set up Docker + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "debug": true, + "experimental": true, + "features": { + "containerd-snapshotter": true + } + } + - name: Get socket path + run: | + url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host) + socket_path=$(echo "$url" | awk -F// '{print $2}') + echo "$socket_path" + echo "SOCKET=$socket_path" >> $GITHUB_ENV +``` + +Then, supply the resulting socket path (`$SOCKET`) as the input `custom-socket` for the Copa Action to connect to. + +### Option 3: Buildkit in a container +To connect via buildkit in a container, provide the input `buildkit-version`. Copa Action will create a buildkit container with that version to connect to. +**Note: this approach does not allow for patching of local or private images.** + + +Refer to [Copacetic documentation](https://project-copacetic.github.io/copacetic/website/custom-address) to learn more about connecting Copa to Buildkit. + ## Example usage -https://github.com/project-copacetic/copa-action/blob/941743581b0da5e581ca5a575f9316228c2f6c00/.github/workflows/patch.yaml#L1-L77 \ No newline at end of file +https://github.com/project-copacetic/copa-action/blob/941743581b0da5e581ca5a575f9316228c2f6c00/.github/workflows/patch.yaml#L1-L77 diff --git a/action.yaml b/action.yaml index 3443447..a749b54 100644 --- a/action.yaml +++ b/action.yaml @@ -27,7 +27,7 @@ inputs: description: "Output format" default: "openvex" custom-socket: - description: "custom socket address if setting up containerd image store" + description: "Custom socket address if setting up containerd image store" outputs: patched-image: description: 'Image reference of patched image' @@ -39,7 +39,7 @@ runs: id: copa-action shell: bash run : | - # check for copa version, else use latest + # check for copa version input, else use latest if [ -z "${{ inputs.copa-version }}" ]; then latest_tag=$(curl --retry 5 -s "https://api.github.com/repos/project-copacetic/copacetic/releases/latest" | jq -r '.tag_name') version=${latest_tag:1} @@ -47,11 +47,18 @@ runs: version="${{ inputs.copa-version }}" fi + # default docker socket and connection type + socket="/var/run/docker.sock" + connection="buildx" + + # check for other methods of connection if [ -n "{{ inputs.custom-socket}}"]; then - docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="${{ inputs.custom-socket }}",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} - elif [ -m "${{ inputs.buildkit-version }}" ]; then + socket=${{ inputs.custom-socket }}" + connection="custom-socket" + elif [ -n "${{ inputs.buildkit-version }}" ]; then docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:${{ inputs.buildkit-version }} --addr tcp://0.0.0.0:8888 - docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="/var/run/docker.sock",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} "buildkit-container" - else - docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="/var/run/docker.sock",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} "buildx" + connection="buildkit-container" fi + + # run copa-action based on inputs + docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="$socket",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} "$connection" diff --git a/entrypoint.sh b/entrypoint.sh index 425e81f..2b601ee 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -22,20 +22,20 @@ else output="--format $format --output ./data/"$output_file"" fi -# check selected method of connection +# check selected method of buildkit connection case "$connection_format" in - # through a buildx instance (allows for patching private images) + # through a buildx instance "buildx") docker buildx create --name=copa-action docker buildx use --default copa-action connection="--addr buildx://copa-action" ;; - # through a running buildkit container + # through a running buildkit container over tcp "buildkit-container") connection="--addr tcp://127.0.0.1:8888" ;; - # none specified = through default docker buildkit endpoint (allows for patching local and private images) - *) + # through the default docker buildkit endpoint enabled with a custom socket + "custom-socket") connection="" ;; esac From f830a723c5f3e9e6322bdec884c012ebf624813a Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Fri, 9 Feb 2024 13:12:36 -0800 Subject: [PATCH 06/22] syntax fix Signed-off-by: ashnamehrotra --- action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yaml b/action.yaml index a749b54..49c61f9 100644 --- a/action.yaml +++ b/action.yaml @@ -52,8 +52,8 @@ runs: connection="buildx" # check for other methods of connection - if [ -n "{{ inputs.custom-socket}}"]; then - socket=${{ inputs.custom-socket }}" + if [ -n "{{ inputs.custom-socket }}"]; then + socket="${{ inputs.custom-socket }}" connection="custom-socket" elif [ -n "${{ inputs.buildkit-version }}" ]; then docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:${{ inputs.buildkit-version }} --addr tcp://0.0.0.0:8888 From 968487fa494da050cc508f04f6eae51b71938be1 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Fri, 9 Feb 2024 14:44:24 -0800 Subject: [PATCH 07/22] add clarification after testing - ctr d img store approach outputs to default Signed-off-by: ashnamehrotra --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 42b0d61..2c95c47 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,7 @@ Example: ``` Then, supply the resulting socket path (`$SOCKET`) as the input `custom-socket` for the Copa Action to connect to. +**Note: Copa Action will load the image to the default docker context, not the "setup-docker-action" context.** ### Option 3: Buildkit in a container To connect via buildkit in a container, provide the input `buildkit-version`. Copa Action will create a buildkit container with that version to connect to. From 113ed58c2bed88a1725b863264a47760327e95e1 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Fri, 9 Feb 2024 16:30:52 -0800 Subject: [PATCH 08/22] add clarification for buildkit version Signed-off-by: ashnamehrotra --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2c95c47..8b99ad5 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Copacetic Action is supported with Copa version 0.3.0 and later. | `patched-image` | String | Image reference of the patched image | ## Ways to connect to Buildkit -*Custom Buildkit connection to patch local or private images is only available with Copa-Action versions 0.6.1 and later. For all earlier Copa-Action versions, Buildkit in a container is the default approach.* +*Custom Buildkit connection to patch local or private images is only available with Copa-Action versions 0.6.1 and later. For all earlier Copa-Action versions, Buildkit in a container is the default approach, and a version must be supplied as input.* ### Option 1: Connect to buildx instance (default) By default, Copa Action creates its own Buildx instance to connect to for patching public and private images. From 6b2efca868934108b2fc38be89afd2134a63372a Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Fri, 9 Feb 2024 16:34:49 -0800 Subject: [PATCH 09/22] add note markers Signed-off-by: ashnamehrotra --- README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8b99ad5..72782fe 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,8 @@ Copacetic Action is supported with Copa version 0.3.0 and later. | `format` | String | False | `openvex` | Output format (available with copa-action v0.6.1 and later) | | `custom-socket` | String | False | | Custom Docker socket address (available with copa-action v0.6.1 and later) | -**Note: Copacetic released version's features do not align with Copa Action versions.** +> [!NOTE] +> Copacetic released version's features do not align with Copa Action versions. ## Outputs @@ -28,7 +29,8 @@ Copacetic Action is supported with Copa version 0.3.0 and later. | `patched-image` | String | Image reference of the patched image | ## Ways to connect to Buildkit -*Custom Buildkit connection to patch local or private images is only available with Copa-Action versions 0.6.1 and later. For all earlier Copa-Action versions, Buildkit in a container is the default approach, and a version must be supplied as input.* +> [!NOTE] +Custom Buildkit connection to patch local or private images is only available with Copa-Action versions 0.6.1 and later. For all earlier Copa-Action versions, Buildkit in a container is the default approach, and a version must be supplied as input. ### Option 1: Connect to buildx instance (default) By default, Copa Action creates its own Buildx instance to connect to for patching public and private images. @@ -58,11 +60,13 @@ Example: ``` Then, supply the resulting socket path (`$SOCKET`) as the input `custom-socket` for the Copa Action to connect to. -**Note: Copa Action will load the image to the default docker context, not the "setup-docker-action" context.** +> [!NOTE] +> Copa Action will load the image to the default docker context, not the "setup-docker-action" context. ### Option 3: Buildkit in a container To connect via buildkit in a container, provide the input `buildkit-version`. Copa Action will create a buildkit container with that version to connect to. -**Note: this approach does not allow for patching of local or private images.** +> [!NOTE] +> This approach does not allow for patching of local or private images. Refer to [Copacetic documentation](https://project-copacetic.github.io/copacetic/website/custom-address) to learn more about connecting Copa to Buildkit. From a3ccdac731e5bffe8d18abb845bf5692eee799b4 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Mon, 12 Feb 2024 13:49:23 -0800 Subject: [PATCH 10/22] fix build test Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 48 +++++++++++++++++++++++++++++++++--- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0cca027..00b1a3b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,6 +18,25 @@ jobs: - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Set up Docker + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "debug": true, + "experimental": true, + "features": { + "containerd-snapshotter": true + } + } + + - name: Get socket path + run: | + url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host) + socket_path=$(echo "$url" | awk -F// '{print $2}') + echo "$socket_path" + echo "SOCKET=$socket_path" >> $GITHUB_ENV + - name: Install Trivy run: | curl -fsSL -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz @@ -41,14 +60,37 @@ jobs: tar -zxvf copa.tar.gz cp copa /usr/local/bin/ - - name: Bats Test + - name: Build Copa Action Image run: | docker build --build-arg copa_version=${COPA_VERSION} -t copa-action . + + - name: Bats Test - Buildx + run: | docker run --net=host \ --mount=type=bind,source=/tmp,target=/data \ --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ - --name=copa-action \ + --name=copa-action-buildx \ copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'output.json' 'openvex' 'buildx' - docker images + bats --print-output-on-failure ./test/test.bats + + - name: Bats Test - Buildkit Container + run: | + docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888 + docker run --net=host \ + --mount=type=bind,source=/tmp,target=/data \ + --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ + --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ + --name=copa-action-buildkit \ + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'output.json' 'openvex' 'buildkit-container' + bats --print-output-on-failure ./test/test.bats + + - name: Bats Test - Custom Socket + run: | + docker run --net=host \ + --mount=type=bind,source=/tmp,target=/data \ + --mount=type=bind,source="$SOCKET",target=/var/run/docker.sock \ + --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ + --name=copa-action-custom-socket \ + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'output.json' 'openvex' 'custom-socket' bats --print-output-on-failure ./test/test.bats From 09a5f0f2ed7bec8bc5fcc526352548d8ea7b41ff Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Mon, 12 Feb 2024 13:51:07 -0800 Subject: [PATCH 11/22] fix ordering for output arg Signed-off-by: ashnamehrotra --- action.yaml | 3 +-- entrypoint.sh | 9 +++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/action.yaml b/action.yaml index 49c61f9..55ebd54 100644 --- a/action.yaml +++ b/action.yaml @@ -22,7 +22,6 @@ inputs: description: "Copa version to use" output: description: "Output filename" - default: "output.json" format: description: "Output format" default: "openvex" @@ -61,4 +60,4 @@ runs: fi # run copa-action based on inputs - docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="$socket",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${{ inputs.output }} ${{ inputs.format }} "$connection" + docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="$socket",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} "$connection" ${{ inputs.format }} {{ inputs.output }} diff --git a/entrypoint.sh b/entrypoint.sh index 2b601ee..cf20226 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,10 +6,9 @@ image=$1 report=$2 patched_tag=$3 timeout=$4 -output_file=$5 +connection_format=$5 format=$6 -connection_format=$7 - +output_file=$7 # parse image into image name image_no_tag=$(echo "$image" | cut -d':' -f1) @@ -19,7 +18,7 @@ if [ -z "$output_file" ] then output="" else - output="--format $format --output ./data/"$output_file"" + output="--format $format --output ./data/$output_file" fi # check selected method of buildkit connection @@ -49,3 +48,5 @@ else echo "Error patching image $image with copa" exit 1 fi + +docker images From e17260904b37ea267a10af692e7b6300a0330db3 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Mon, 12 Feb 2024 13:55:31 -0800 Subject: [PATCH 12/22] change order in build test Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 00b1a3b..74fcf40 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -71,7 +71,7 @@ jobs: --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ --name=copa-action-buildx \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'output.json' 'openvex' 'buildx' + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildx' 'output.json' 'openvex' bats --print-output-on-failure ./test/test.bats - name: Bats Test - Buildkit Container @@ -82,7 +82,7 @@ jobs: --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ --name=copa-action-buildkit \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'output.json' 'openvex' 'buildkit-container' + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildkit-container' 'output.json' 'openvex' bats --print-output-on-failure ./test/test.bats - name: Bats Test - Custom Socket @@ -92,5 +92,5 @@ jobs: --mount=type=bind,source="$SOCKET",target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ --name=copa-action-custom-socket \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'output.json' 'openvex' 'custom-socket' + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'custom-socket' 'output.json' 'openvex' bats --print-output-on-failure ./test/test.bats From eae67bbccd20f9cd88d18668461b3990c6d1fe84 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Mon, 12 Feb 2024 14:19:27 -0800 Subject: [PATCH 13/22] fix order Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 74fcf40..79a3d8e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -71,7 +71,7 @@ jobs: --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ --name=copa-action-buildx \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildx' 'output.json' 'openvex' + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildx' 'openvex' 'output.json' bats --print-output-on-failure ./test/test.bats - name: Bats Test - Buildkit Container @@ -82,7 +82,7 @@ jobs: --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ --name=copa-action-buildkit \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildkit-container' 'output.json' 'openvex' + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildkit-container' 'openvex' 'output.json' bats --print-output-on-failure ./test/test.bats - name: Bats Test - Custom Socket @@ -92,5 +92,5 @@ jobs: --mount=type=bind,source="$SOCKET",target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ --name=copa-action-custom-socket \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'custom-socket' 'output.json' 'openvex' + copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'custom-socket' 'openvex' 'output.json' bats --print-output-on-failure ./test/test.bats From 74dbb7d5796ee9b1b5c4d8877f07079a39dc3289 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Wed, 14 Feb 2024 09:22:52 -0800 Subject: [PATCH 14/22] changes so far Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 93 ++++++++++++++++-------------------- test/test.bats | 10 ++-- 2 files changed, 47 insertions(+), 56 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 79a3d8e..307b67e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -9,6 +9,9 @@ jobs: build: name: build runs-on: ubuntu-latest + strategy: + matrix: + test-type: ["custom-socket"] steps: - name: Setup BATS uses: mig4/setup-bats@af9a00deb21b5d795cabfeaa8d9060410377686d # v1.2.0 @@ -18,34 +21,15 @@ jobs: - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Set up Docker - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "debug": true, - "experimental": true, - "features": { - "containerd-snapshotter": true - } - } - - - name: Get socket path - run: | - url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host) - socket_path=$(echo "$url" | awk -F// '{print $2}') - echo "$socket_path" - echo "SOCKET=$socket_path" >> $GITHUB_ENV - - name: Install Trivy run: | - curl -fsSL -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz - tar -zxvf trivy.tar.gz - cp trivy /usr/local/bin/ + curl -fsSL -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz + tar -zxvf trivy.tar.gz + cp trivy /usr/local/bin/ - - name: Generate trivy vuln report for nginx image + - name: Generate trivy vuln report for opa image run: | - trivy image --vuln-type os --ignore-unfixed -f json -o /tmp/nginx.1.21.6.json docker.io/library/nginx:1.21.6 + trivy image --vuln-type os --ignore-unfixed -f json -o /tmp/opa.0.46.0.json docker.io/openpolicyagent/opa:0.46.0 - name: Get latest copa version run: | @@ -56,41 +40,46 @@ jobs: - name: Install Copa run: | - curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${COPA_VERSION}/copa_${COPA_VERSION}_linux_amd64.tar.gz - tar -zxvf copa.tar.gz - cp copa /usr/local/bin/ + curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${COPA_VERSION}/copa_${COPA_VERSION}_linux_amd64.tar.gz + tar -zxvf copa.tar.gz + cp copa /usr/local/bin/ - - name: Build Copa Action Image - run: | - docker build --build-arg copa_version=${COPA_VERSION} -t copa-action . + - name: Run Buildkit container + if: matrix.test-type == 'buildkit-container' + run : | + docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888 - - name: Bats Test - Buildx - run: | - docker run --net=host \ - --mount=type=bind,source=/tmp,target=/data \ - --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ - --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ - --name=copa-action-buildx \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildx' 'openvex' 'output.json' - bats --print-output-on-failure ./test/test.bats + - name: Set up Docker + if: matrix.test-type == 'custom-socket' + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "debug": true, + "experimental": true, + "features": { + "containerd-snapshotter": true + } + } - - name: Bats Test - Buildkit Container + - name: Bats Test run: | - docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888 - docker run --net=host \ - --mount=type=bind,source=/tmp,target=/data \ - --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ - --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ - --name=copa-action-buildkit \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildkit-container' 'openvex' 'output.json' - bats --print-output-on-failure ./test/test.bats + set -ex + export SOCKET="/var/run/docker.sock" - - name: Bats Test - Custom Socket - run: | + if [ "${{ matrix.test-type }}" = "custom-socket" ]; then + url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host) + SOCKET=$(echo "$url" | awk -F// '{print $2}') + fi + + docker build --build-arg copa_version=${COPA_VERSION} -t copa-action . docker run --net=host \ --mount=type=bind,source=/tmp,target=/data \ --mount=type=bind,source="$SOCKET",target=/var/run/docker.sock \ --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \ - --name=copa-action-custom-socket \ - copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'custom-socket' 'openvex' 'output.json' + --name=copa-action \ + copa-action 'docker.io/openpolicyagent/opa:0.46.0' 'opa.0.46.0.json' '0.46.0-patched' '10m' "${{ matrix.test-type }}" 'openvex' 'output.json' + + docker images + bats --print-output-on-failure ./test/test.bats diff --git a/test/test.bats b/test/test.bats index a596fb9..872e6d3 100755 --- a/test/test.bats +++ b/test/test.bats @@ -4,7 +4,8 @@ load helpers @test "Check patched image exists" { docker images - id=$(docker images --quiet 'nginx:1.21.6-patched') + id=$(docker images --quiet 'openpolicyagent/opa:0.46.0-patched') + docker pull openpolicyagent/opa:0.46.0-patched assert_not_equal "$id" "" } @@ -14,8 +15,9 @@ load helpers } @test "Run trivy on patched image" { - run trivy image --exit-code 1 --vuln-type os --ignore-unfixed -f json -o nginx.1.21.6-patched.json 'docker.io/library/nginx:1.21.6-patched' + docker context use "setup-docker-action" + run trivy image --exit-code 1 --vuln-type os --ignore-unfixed -f json -o opa.0.46.0-patched.json 'docker.io/openpolicyagent/opa:0.46.0-patched' [ "$status" -eq 0 ] - vulns=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' nginx.1.21.6-patched.json) + vulns=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' opa.0.46.0-patched.json) assert_equal "$vulns" "0" -} +} \ No newline at end of file From 36ab31d284db2308dc8b18cf67814cb669ae047f Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Wed, 14 Feb 2024 09:35:09 -0800 Subject: [PATCH 15/22] add other two tests back Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 307b67e..659247f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - test-type: ["custom-socket"] + test-type: ["buildx", "buildkit-container", "custom-socket"] steps: - name: Setup BATS uses: mig4/setup-bats@af9a00deb21b5d795cabfeaa8d9060410377686d # v1.2.0 From c09a51bee5e0eeb3b74ec6cc689a2c0d2c790875 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Wed, 14 Feb 2024 09:41:07 -0800 Subject: [PATCH 16/22] cleanup Signed-off-by: ashnamehrotra --- test/test.bats | 2 -- 1 file changed, 2 deletions(-) diff --git a/test/test.bats b/test/test.bats index 872e6d3..7a13a7a 100755 --- a/test/test.bats +++ b/test/test.bats @@ -5,7 +5,6 @@ load helpers @test "Check patched image exists" { docker images id=$(docker images --quiet 'openpolicyagent/opa:0.46.0-patched') - docker pull openpolicyagent/opa:0.46.0-patched assert_not_equal "$id" "" } @@ -15,7 +14,6 @@ load helpers } @test "Run trivy on patched image" { - docker context use "setup-docker-action" run trivy image --exit-code 1 --vuln-type os --ignore-unfixed -f json -o opa.0.46.0-patched.json 'docker.io/openpolicyagent/opa:0.46.0-patched' [ "$status" -eq 0 ] vulns=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' opa.0.46.0-patched.json) From f26cc30bcc5d8a44f8f9af7731376501d7f69064 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Wed, 14 Feb 2024 10:16:05 -0800 Subject: [PATCH 17/22] more cleanup Signed-off-by: ashnamehrotra --- entrypoint.sh | 2 -- test/test.bats | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index cf20226..45930e4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -48,5 +48,3 @@ else echo "Error patching image $image with copa" exit 1 fi - -docker images diff --git a/test/test.bats b/test/test.bats index 7a13a7a..261e034 100755 --- a/test/test.bats +++ b/test/test.bats @@ -18,4 +18,4 @@ load helpers [ "$status" -eq 0 ] vulns=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' opa.0.46.0-patched.json) assert_equal "$vulns" "0" -} \ No newline at end of file +} From de775c28bf7398b44898dbcc1db91f165f37f0ab Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Wed, 14 Feb 2024 15:09:18 -0800 Subject: [PATCH 18/22] save patched image as tar file Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 3 +-- test/test.bats | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 659247f..f9239a3 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -80,6 +80,5 @@ jobs: --name=copa-action \ copa-action 'docker.io/openpolicyagent/opa:0.46.0' 'opa.0.46.0.json' '0.46.0-patched' '10m' "${{ matrix.test-type }}" 'openvex' 'output.json' - docker images - + docker -c "setup-docker-action" save -o patched.tar openpolicyagent/opa:0.46.0-patched bats --print-output-on-failure ./test/test.bats diff --git a/test/test.bats b/test/test.bats index 261e034..e5fd970 100755 --- a/test/test.bats +++ b/test/test.bats @@ -14,7 +14,7 @@ load helpers } @test "Run trivy on patched image" { - run trivy image --exit-code 1 --vuln-type os --ignore-unfixed -f json -o opa.0.46.0-patched.json 'docker.io/openpolicyagent/opa:0.46.0-patched' + run trivy image --exit-code 1 --vuln-type os --ignore-unfixed -f json -o opa.0.46.0-patched.json --input patched.tar [ "$status" -eq 0 ] vulns=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' opa.0.46.0-patched.json) assert_equal "$vulns" "0" From cae27f15fd76a1349a0f0eeca5d7e4adaf75949b Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Wed, 14 Feb 2024 15:12:52 -0800 Subject: [PATCH 19/22] only change context for custom socket Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f9239a3..f2db685 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -66,10 +66,12 @@ jobs: run: | set -ex export SOCKET="/var/run/docker.sock" + export CONTEXT="default" if [ "${{ matrix.test-type }}" = "custom-socket" ]; then url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host) SOCKET=$(echo "$url" | awk -F// '{print $2}') + CONTEXT="setup-docker-action" fi docker build --build-arg copa_version=${COPA_VERSION} -t copa-action . @@ -80,5 +82,6 @@ jobs: --name=copa-action \ copa-action 'docker.io/openpolicyagent/opa:0.46.0' 'opa.0.46.0.json' '0.46.0-patched' '10m' "${{ matrix.test-type }}" 'openvex' 'output.json' - docker -c "setup-docker-action" save -o patched.tar openpolicyagent/opa:0.46.0-patched + docker -c "$CONTEXT" save -o patched.tar openpolicyagent/opa:0.46.0-patched + bats --print-output-on-failure ./test/test.bats From 17b14e51df7f61cc1cae59fd964238d98339506c Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Wed, 14 Feb 2024 15:28:31 -0800 Subject: [PATCH 20/22] remove nginx test from patch also Signed-off-by: ashnamehrotra --- .github/workflows/patch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/patch.yaml b/.github/workflows/patch.yaml index d40c353..6116dd7 100644 --- a/.github/workflows/patch.yaml +++ b/.github/workflows/patch.yaml @@ -20,7 +20,7 @@ jobs: matrix: # provide relevant list of images to scan on each run images: - - "docker.io/library/nginx:1.21.6" + - "docker.io/library/alpine:3.18.4" - "docker.io/openpolicyagent/opa:0.46.0" - "docker.io/library/hello-world:latest" steps: From bf6f004bf14b2d5df4aadf38acbd58b5f22187f4 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Fri, 16 Feb 2024 11:28:30 -0800 Subject: [PATCH 21/22] add note for tarball Signed-off-by: ashnamehrotra --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f2db685..4436348 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -82,6 +82,7 @@ jobs: --name=copa-action \ copa-action 'docker.io/openpolicyagent/opa:0.46.0' 'opa.0.46.0.json' '0.46.0-patched' '10m' "${{ matrix.test-type }}" 'openvex' 'output.json' + # saving patched image to give trivy access when using a custom socket docker -c "$CONTEXT" save -o patched.tar openpolicyagent/opa:0.46.0-patched bats --print-output-on-failure ./test/test.bats From 7fb5acf1d79bea0a93dc37d288a07ad6044b7885 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Fri, 16 Feb 2024 12:06:34 -0800 Subject: [PATCH 22/22] clarify README Signed-off-by: ashnamehrotra --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 72782fe..8a82b29 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,8 @@ Copacetic Action is supported with Copa version 0.3.0 and later. | `custom-socket` | String | False | | Custom Docker socket address (available with copa-action v0.6.1 and later) | > [!NOTE] -> Copacetic released version's features do not align with Copa Action versions. +> Features that are supported with new Copacetic releases will not neccessarily align with what is supported with Copa Action versions. +> For example, the `output` file feature was released in Copa v0.5.0, but is supported with Copa Action v0.6.1 and later. ## Outputs