From d214d5b3c6b254692f1eb090bd38840a6d47eae2 Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Mon, 27 May 2024 23:40:55 +0000 Subject: [PATCH 1/8] scanner --- .github/workflows/scan-vulns.yaml | 79 +++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/scan-vulns.yaml diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml new file mode 100644 index 000000000..652fd57ee --- /dev/null +++ b/.github/workflows/scan-vulns.yaml @@ -0,0 +1,79 @@ +name: scan_vulns +on: + push: + paths-ignore: + - ".github/workflows/website.yaml" + - "docs/**" + - "library/**" + - "demo/**" + - "deprecated/**" + - "example/**" + - "website/**" + - "**.md" + - "!cmd/build/helmify/static/README.md" + pull_request: + paths-ignore: + - ".github/workflows/website.yaml" + - "docs/**" + - "library/**" + - "demo/**" + - "deprecated/**" + - "example/**" + - "website/**" + - "**.md" + - "!cmd/build/helmify/static/README.md" + +permissions: read-all + +jobs: + govulncheck: + name: "Run govulncheck" + runs-on: ubuntu-22.04 + timeout-minutes: 15 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: "1.22" + check-latest: true + - uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2 + + scan_vulnerabilities: + name: "[Trivy] Scan for vulnerabilities" + runs-on: ubuntu-22.04 + timeout-minutes: 15 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Check out code into the Go module directory + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 + + - name: Download trivy + run: | + pushd $(mktemp -d) + wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz + tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz + echo "$(pwd)" >> $GITHUB_PATH + env: + TRIVY_VERSION: "0.46.0" + + - name: Run trivy on git repository + run: | + trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln . + + - name: Build docker images + run: | + make e2e-build-local-ratify-image + + - name: Run trivy on images + run: | + for img in "localbuild:test"; do + trivy image --ignore-unfixed --vuln-type="os,library" "${img}" + done \ No newline at end of file From 1f37d0439fa3f8154b4b2035f558ea89859f532d Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Mon, 27 May 2024 23:49:56 +0000 Subject: [PATCH 2/8] load into kind --- .github/workflows/scan-vulns.yaml | 3 ++- Makefile | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 652fd57ee..a3380d7bb 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -22,7 +22,8 @@ on: - "website/**" - "**.md" - "!cmd/build/helmify/static/README.md" - + workflow_dispatch: + permissions: read-all jobs: diff --git a/Makefile b/Makefile index 818cee791..64f10fe2a 100644 --- a/Makefile +++ b/Makefile @@ -551,7 +551,7 @@ e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosi rm mount_config.json -e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup e2e-inlinecert-setup e2e-build-crd-image e2e-build-local-ratify-image e2e-helm-deploy-ratify +e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup e2e-inlinecert-setup e2e-build-crd-image e2e-build-local-ratify-image load-e2e-build-local-ratify-image e2e-helm-deploy-ratify e2e-build-local-ratify-base-image: docker build --progress=plain --no-cache \ @@ -567,6 +567,8 @@ e2e-build-local-ratify-image: --build-arg build_vulnerabilityreport=true \ -f ./httpserver/Dockerfile \ -t localbuild:test . + +load-e2e-build-local-ratify-image: kind load docker-image --name kind localbuild:test e2e-helmfile-deploy-released-ratify: @@ -632,7 +634,7 @@ e2e-helm-deploy-redis: e2e-helm-deploy-dapr kubectl apply -f test/testdata/dapr/dapr-redis-secret.yaml -n ${GATEKEEPER_NAMESPACE} kubectl apply -f test/testdata/dapr/dapr-redis.yaml -n ${GATEKEEPER_NAMESPACE} -e2e-helm-deploy-ratify-replica: e2e-helm-deploy-redis e2e-notation-setup e2e-build-crd-image e2e-build-local-ratify-image +e2e-helm-deploy-ratify-replica: e2e-helm-deploy-redis e2e-notation-setup e2e-build-crd-image e2e-build-local-ratify-image load-e2e-build-local-ratify-image printf "{\n\t\"auths\": {\n\t\t\"registry:5000\": {\n\t\t\t\"auth\": \"`echo "${TEST_REGISTRY_USERNAME}:${TEST_REGISTRY_PASSWORD}" | tr -d '\n' | base64 -i -w 0`\"\n\t\t}\n\t}\n}" > mount_config.json ./.staging/helm/linux-amd64/helm install ${RATIFY_NAME} \ From 6179759c81f79a0bfa0a70b070e040d5d5f20185 Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Tue, 28 May 2024 01:00:06 +0000 Subject: [PATCH 3/8] crd image --- .github/workflows/scan-vulns.yaml | 16 ++-------------- Makefile | 12 +++++++----- 2 files changed, 9 insertions(+), 19 deletions(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index a3380d7bb..ba7b0545c 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -2,28 +2,16 @@ name: scan_vulns on: push: paths-ignore: - - ".github/workflows/website.yaml" - "docs/**" - "library/**" - - "demo/**" - - "deprecated/**" - - "example/**" - - "website/**" - "**.md" - - "!cmd/build/helmify/static/README.md" pull_request: paths-ignore: - - ".github/workflows/website.yaml" - "docs/**" - "library/**" - - "demo/**" - - "deprecated/**" - - "example/**" - - "website/**" - "**.md" - - "!cmd/build/helmify/static/README.md" workflow_dispatch: - + permissions: read-all jobs: @@ -75,6 +63,6 @@ jobs: - name: Run trivy on images run: | - for img in "localbuild:test"; do + for img in "localbuild:test" "localbuildcrd:test"; do trivy image --ignore-unfixed --vuln-type="os,library" "${img}" done \ No newline at end of file diff --git a/Makefile b/Makefile index 64f10fe2a..570ac9d19 100644 --- a/Makefile +++ b/Makefile @@ -524,10 +524,12 @@ e2e-deploy-gatekeeper: e2e-helm-install if [ ${GATEKEEPER_VERSION} != "3.13.0" ]; then ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper --version ${GATEKEEPER_VERSION} --name-template=gatekeeper --namespace ${GATEKEEPER_NAMESPACE} --create-namespace --set enableExternalData=true --set validatingWebhookTimeoutSeconds=5 --set mutatingWebhookTimeoutSeconds=2 --set auditInterval=0 --set externaldataProviderResponseCacheTTL=1s; fi e2e-build-crd-image: - docker build --progress=plain --no-cache --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t localbuildcrd:test ./charts/ratify/crds + docker build --progress=plain --no-cache --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t localbuildcrd:test ./charts/ratify/crds + +load-build-crd-image: kind load docker-image --name kind localbuildcrd:test -e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-inlinecert-setup e2e-build-crd-image e2e-build-local-ratify-base-image +e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-inlinecert-setup e2e-build-crd-image load-build-crd-image e2e-build-local-ratify-base-image printf "{\n\t\"auths\": {\n\t\t\"registry:5000\": {\n\t\t\t\"auth\": \"`echo "${TEST_REGISTRY_USERNAME}:${TEST_REGISTRY_PASSWORD}" | tr -d '\n' | base64 -i -w 0`\"\n\t\t}\n\t}\n}" > mount_config.json ./.staging/helm/linux-amd64/helm install ${RATIFY_NAME} \ @@ -551,7 +553,7 @@ e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosi rm mount_config.json -e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup e2e-inlinecert-setup e2e-build-crd-image e2e-build-local-ratify-image load-e2e-build-local-ratify-image e2e-helm-deploy-ratify +e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup e2e-vulnerabilityreport-setup e2e-inlinecert-setup e2e-build-crd-image load-build-crd-image e2e-build-local-ratify-image load-local-ratify-image e2e-helm-deploy-ratify e2e-build-local-ratify-base-image: docker build --progress=plain --no-cache \ @@ -568,7 +570,7 @@ e2e-build-local-ratify-image: -f ./httpserver/Dockerfile \ -t localbuild:test . -load-e2e-build-local-ratify-image: +load-local-ratify-image: kind load docker-image --name kind localbuild:test e2e-helmfile-deploy-released-ratify: @@ -634,7 +636,7 @@ e2e-helm-deploy-redis: e2e-helm-deploy-dapr kubectl apply -f test/testdata/dapr/dapr-redis-secret.yaml -n ${GATEKEEPER_NAMESPACE} kubectl apply -f test/testdata/dapr/dapr-redis.yaml -n ${GATEKEEPER_NAMESPACE} -e2e-helm-deploy-ratify-replica: e2e-helm-deploy-redis e2e-notation-setup e2e-build-crd-image e2e-build-local-ratify-image load-e2e-build-local-ratify-image +e2e-helm-deploy-ratify-replica: e2e-helm-deploy-redis e2e-notation-setup e2e-build-crd-image load-build-crd-image e2e-build-local-ratify-image load-local-ratify-image printf "{\n\t\"auths\": {\n\t\t\"registry:5000\": {\n\t\t\t\"auth\": \"`echo "${TEST_REGISTRY_USERNAME}:${TEST_REGISTRY_PASSWORD}" | tr -d '\n' | base64 -i -w 0`\"\n\t\t}\n\t}\n}" > mount_config.json ./.staging/helm/linux-amd64/helm install ${RATIFY_NAME} \ From a000acb013fbe7062964f1d2edebea6fcabb8883 Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Tue, 28 May 2024 01:08:27 +0000 Subject: [PATCH 4/8] add crd build step --- .github/workflows/scan-vulns.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index ba7b0545c..1e1ccdaaf 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -60,7 +60,7 @@ jobs: - name: Build docker images run: | make e2e-build-local-ratify-image - + make e2e-build-crd-image - name: Run trivy on images run: | for img in "localbuild:test" "localbuildcrd:test"; do From a01b605d7a1f8b335ca285878600d87f21a61072 Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Wed, 29 May 2024 05:51:08 +0000 Subject: [PATCH 5/8] remove --skipdir flag --- .github/workflows/scan-vulns.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 1e1ccdaaf..a939b25a1 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -55,7 +55,7 @@ jobs: - name: Run trivy on git repository run: | - trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln . + trivy fs --format table --ignore-unfixed --scanners vuln . - name: Build docker images run: | From 64c2315e89e844e9b649aa4d79c452f27a12fc0d Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 02:00:42 +0000 Subject: [PATCH 6/8] fail on med --- .github/workflows/scan-vulns.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index a939b25a1..e7ecf02aa 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -61,8 +61,13 @@ jobs: run: | make e2e-build-local-ratify-image make e2e-build-crd-image - - name: Run trivy on images + - name: Run trivy on images for all severity run: | for img in "localbuild:test" "localbuildcrd:test"; do trivy image --ignore-unfixed --vuln-type="os,library" "${img}" + done + - name: Run trivy on images and exit on medium severity + run: | + for img in "localbuild:test" "localbuildcrd:test"; do + trivy image --ignore-unfixed --exit-code 1 --severity MEDIUM --vuln-type="os,library" "${img}" done \ No newline at end of file From 314d46e5193277c20a59a8ec05afe1e1023706af Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 02:05:31 +0000 Subject: [PATCH 7/8] fail critical --- .github/workflows/scan-vulns.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index e7ecf02aa..e63e4252f 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -66,8 +66,8 @@ jobs: for img in "localbuild:test" "localbuildcrd:test"; do trivy image --ignore-unfixed --vuln-type="os,library" "${img}" done - - name: Run trivy on images and exit on medium severity + - name: Run trivy on images and exit on CRITICAL severity run: | for img in "localbuild:test" "localbuildcrd:test"; do - trivy image --ignore-unfixed --exit-code 1 --severity MEDIUM --vuln-type="os,library" "${img}" + trivy image --ignore-unfixed --exit-code 1 --severity CRITICAL --vuln-type="os,library" "${img}" done \ No newline at end of file From d7990c71ced856b50b5128dc69ed29d7af105714 Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 02:11:21 +0000 Subject: [PATCH 8/8] fail on high --- .github/workflows/scan-vulns.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index e63e4252f..101293e96 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -66,8 +66,8 @@ jobs: for img in "localbuild:test" "localbuildcrd:test"; do trivy image --ignore-unfixed --vuln-type="os,library" "${img}" done - - name: Run trivy on images and exit on CRITICAL severity + - name: Run trivy on images and exit on HIGH severity run: | for img in "localbuild:test" "localbuildcrd:test"; do - trivy image --ignore-unfixed --exit-code 1 --severity CRITICAL --vuln-type="os,library" "${img}" + trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}" done \ No newline at end of file