From 388617bb62b7463678536267b553a5977f9ee169 Mon Sep 17 00:00:00 2001 From: Darren Kelly <107671032+darrenvechain@users.noreply.github.com> Date: Mon, 22 Apr 2024 17:01:48 +0100 Subject: [PATCH] Add docker security scan (#705) * chore: scan docker image * chore: scan docker image * Update publish-docker-images.yaml * Update publish-docker-images.yaml * Update publish-docker-images.yaml * Update publish-docker-images.yaml * Update publish-docker-images.yaml * chore: add pull request conditionals for docker build * fix: conditional * fix: typo * chore: publish to slack on master failure * fix: webhook url * upgrade libssl3 libcrypto3 * set severity to low * fix slack message * update slack error messages * add e2e test status --- .github/workflows/on-master-commit.yaml | 30 ++++++++++++++++++++ .github/workflows/publish-docker-images.yaml | 17 +++++++++-- .github/workflows/test.yaml | 13 --------- Dockerfile | 1 + 4 files changed, 46 insertions(+), 15 deletions(-) diff --git a/.github/workflows/on-master-commit.yaml b/.github/workflows/on-master-commit.yaml index 9a51890f6..43e31a561 100644 --- a/.github/workflows/on-master-commit.yaml +++ b/.github/workflows/on-master-commit.yaml @@ -51,3 +51,33 @@ jobs: tags: | type=raw,value=master-${{ needs.generate-tags.outputs.tag_date }}-${{ needs.generate-tags.outputs.short_sha }} type=raw,value=master-latest + + notify-slack: + name: Notify Slack + needs: + - publish-docker-image + - generate-tags + - lint + - run-unit-tests + if: always() && (needs.publish-docker-image.result != 'success' || needs.run-unit-tests.result != 'success' || needs.lint.result != 'success' || needs.run-e2e-tests.result != 'success') + runs-on: ubuntu-latest + steps: + - name: Notify Slack + uses: slackapi/slack-github-action@v1.25.0 + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + with: + payload: | + { + "unit-test-status": "${{ needs.run-unit-tests.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}", + "docker-publish-status": "${{ needs.publish-docker-image.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}", + "commit-message": "${{ github.event.head_commit.message }}", + "commit-url": "${{ github.event.head_commit.url }}", + "e2e-test-status": "${{ needs.run-e2e-tests.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}", + "branch": "${{ github.ref }}", + "status": "${{ job.status }}", + "repository": "${{ github.repository }}", + "commit-author": "${{ github.event.head_commit.author.name }}", + "lint-status": "${{ needs.lint.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}" + } + diff --git a/.github/workflows/publish-docker-images.yaml b/.github/workflows/publish-docker-images.yaml index a93ee9782..abd1958b4 100644 --- a/.github/workflows/publish-docker-images.yaml +++ b/.github/workflows/publish-docker-images.yaml @@ -33,21 +33,24 @@ jobs: uses: actions/checkout@v4 - name: Set up QEMU + if: ${{ github.event_name != 'pull_request' }} uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx + if: ${{ github.event_name != 'pull_request' }} uses: docker/setup-buildx-action@v3 - name: Log in to Docker Hub uses: docker/login-action@v3 # Only log in to Docker Hub if the event is a release - if: ${{ inputs.environment == 'docker-publish' }} + if: ${{ inputs.environment == 'docker-publish' && github.event_name != 'pull_request' }} with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Log in to the Container registry uses: docker/login-action@v3 + if: ${{ github.event_name != 'pull_request' }} with: registry: ghcr.io username: ${{ github.actor }} @@ -66,8 +69,18 @@ jobs: uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64,linux/arm64 + platforms: ${{ github.event_name != 'pull_request' && 'linux/amd64,linux/arm64' || 'linux/amd64' }} push: ${{ github.event_name != 'pull_request' }} + load: ${{ github.event_name == 'pull_request' }} provenance: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Scan for vulnerabilities + uses: crazy-max/ghaction-container-scan@v3 + if: ${{ github.event_name == 'pull_request' || github.ref_name == 'master' }} + with: + image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + annotations: true + severity: LOW + dockerfile: ./Dockerfile diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 495be30f0..234be2c8f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -32,19 +32,6 @@ jobs: id: unit-test run: make test - - name: Post To Slack - if: always() && github.ref == 'refs/heads/master' && (steps.unit-test.outcome == 'failure') - uses: slackapi/slack-github-action@v1.24.0 - with: - payload: | - { - "source": "GitHub", - "repo": "${{ github.repository}}", - "branch": "${{ github.head_ref || github.ref_name }}", - "message": "unit tests failed on ${{ matrix.os }} with go version ${{ matrix.go-version }}" - } - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} test_coverage: runs-on: ubuntu-latest steps: diff --git a/Dockerfile b/Dockerfile index d61a2f08d..2b0062da0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,7 @@ RUN make all FROM alpine:latest RUN apk add --no-cache ca-certificates +RUN apk upgrade libssl3 libcrypto3 COPY --from=builder /go/thor/bin/thor /usr/local/bin/ COPY --from=builder /go/thor/bin/disco /usr/local/bin/ RUN adduser -D -s /bin/ash thor