Add docker security scan (#705)

* chore: scan docker image * chore: scan docker image * Update publish-docker-images.yaml * Update publish-docker-images.yaml * Update publish-docker-images.yaml * Update publish-docker-images.yaml * Update publish-docker-images.yaml * chore: add pull request conditionals for docker build * fix: conditional * fix: typo * chore: publish to slack on master failure * fix: webhook url * upgrade libssl3 libcrypto3 * set severity to low * fix slack message * update slack error messages * add e2e test status
vechain · Apr 22, 2024 · 388617b · 388617b
1 parent 883a004
commit 388617b
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 15 deletions.
diff --git a/.github/workflows/on-master-commit.yaml b/.github/workflows/on-master-commit.yaml
@@ -51,3 +51,33 @@ jobs:
       tags: |
         type=raw,value=master-${{ needs.generate-tags.outputs.tag_date }}-${{ needs.generate-tags.outputs.short_sha }}
         type=raw,value=master-latest
+
+  notify-slack:
+    name: Notify Slack
+    needs:
+      - publish-docker-image
+      - generate-tags
+      - lint
+      - run-unit-tests
+    if: always() && (needs.publish-docker-image.result != 'success' || needs.run-unit-tests.result != 'success' || needs.lint.result != 'success' || needs.run-e2e-tests.result != 'success')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify Slack
+        uses: slackapi/[email protected]
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        with:
+          payload: |
+            {
+              "unit-test-status": "${{ needs.run-unit-tests.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}",
+              "docker-publish-status": "${{ needs.publish-docker-image.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}",
+              "commit-message": "${{ github.event.head_commit.message }}",
+              "commit-url": "${{ github.event.head_commit.url }}",
+              "e2e-test-status": "${{ needs.run-e2e-tests.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}",
+              "branch": "${{ github.ref }}",
+              "status": "${{ job.status }}",
+              "repository": "${{ github.repository }}",
+              "commit-author": "${{ github.event.head_commit.author.name }}",
+              "lint-status": "${{ needs.lint.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}"
+            }
+
diff --git a/.github/workflows/publish-docker-images.yaml b/.github/workflows/publish-docker-images.yaml
@@ -33,21 +33,24 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up QEMU
+        if: ${{ github.event_name != 'pull_request' }}
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
+        if: ${{ github.event_name != 'pull_request' }}
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
         # Only log in to Docker Hub if the event is a release
-        if: ${{ inputs.environment == 'docker-publish' }}
+        if: ${{ inputs.environment == 'docker-publish' && github.event_name != 'pull_request' }}
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
+        if: ${{ github.event_name != 'pull_request' }}
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -66,8 +69,18 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ github.event_name != 'pull_request' && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
           push: ${{ github.event_name != 'pull_request' }}
+          load: ${{ github.event_name == 'pull_request' }}
           provenance: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Scan for vulnerabilities
+        uses: crazy-max/ghaction-container-scan@v3
+        if: ${{ github.event_name == 'pull_request' || github.ref_name == 'master' }}
+        with:
+          image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          annotations: true
+          severity: LOW
+          dockerfile: ./Dockerfile
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -32,19 +32,6 @@ jobs:
         id: unit-test
         run: make test
 
-      - name: Post To Slack
-        if: always()  && github.ref == 'refs/heads/master' && (steps.unit-test.outcome == 'failure')
-        uses: slackapi/[email protected]
-        with:
-          payload: |
-            {
-              "source": "GitHub",
-              "repo": "${{ github.repository}}",
-              "branch": "${{ github.head_ref || github.ref_name }}",
-              "message": "unit tests failed on ${{ matrix.os }} with go version ${{ matrix.go-version }}"
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   test_coverage:
     runs-on: ubuntu-latest
     steps:

diff --git a/Dockerfile b/Dockerfile
@@ -10,6 +10,7 @@ RUN make all
 FROM alpine:latest
 
 RUN apk add --no-cache ca-certificates
+RUN apk upgrade libssl3 libcrypto3
 COPY --from=builder /go/thor/bin/thor /usr/local/bin/
 COPY --from=builder /go/thor/bin/disco /usr/local/bin/
 RUN adduser -D -s /bin/ash thor