From a9a1882730087d7d9d8785267a2e66657d891169 Mon Sep 17 00:00:00 2001 From: Ayoub Benaissa Date: Thu, 31 Oct 2024 07:52:49 +0100 Subject: [PATCH 1/2] feat(ci): scan CP docker image with trivy --- .../workflows/concrete_python_push_docker_image.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/concrete_python_push_docker_image.yml b/.github/workflows/concrete_python_push_docker_image.yml index bb21a8c471..b6403bb69e 100644 --- a/.github/workflows/concrete_python_push_docker_image.yml +++ b/.github/workflows/concrete_python_push_docker_image.yml @@ -34,6 +34,16 @@ jobs: mkdir empty_context docker image build -t ${{ env.NAME_TAG }} --build-arg version=${{ env.VERSION }} -f ${{ env.DOCKER_FILE }} empty_context + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + image-ref: '${{ env.NAME_TAG }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Login to Docker Hub uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: From 463c2a1dedd6a524a9ff23a441f6a2ad61d89688 Mon Sep 17 00:00:00 2001 From: Ayoub Benaissa Date: Thu, 31 Oct 2024 08:00:05 +0100 Subject: [PATCH 2/2] feat(ci): scan compiler docker images with trivy --- .../compiler_publish_docker_images.yml | 42 +++++++++++++++++-- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/.github/workflows/compiler_publish_docker_images.yml b/.github/workflows/compiler_publish_docker_images.yml index 63ae5e1942..b161abca32 100644 --- a/.github/workflows/compiler_publish_docker_images.yml +++ b/.github/workflows/compiler_publish_docker_images.yml @@ -64,6 +64,16 @@ jobs: DOCKER_BUILDKIT=1 docker build --no-cache \ --label "commit-sha=${{ github.sha }}" -t ${{ matrix.image }} -f ${{ matrix.dockerfile }} . + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + image-ref: '${{ matrix.image }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Tag and Publish Image run: | docker image tag ${{ matrix.image }} ${{ matrix.image }}:${{ github.sha }} @@ -100,11 +110,24 @@ jobs: if: contains(steps.changed-files.outputs.modified_files, 'docker/Dockerfile.hpx-env') || contains(steps.changed-files.outputs.modified_files, env.THIS_FILE) run: echo "${{ secrets.GHCR_PASSWORD }}" | docker login -u ${{ secrets.GHCR_LOGIN }} --password-stdin ghcr.io - - name: Build Tag and Publish + - name: Build if: ${{ steps.login.conclusion != 'skipped' }} - run: | - docker build -t "${IMAGE}" -f docker/Dockerfile.hpx-env . - docker push "${IMAGE}:latest" + run: docker build -t "${IMAGE}" -f docker/Dockerfile.hpx-env . + + - name: Run Trivy vulnerability scanner + if: ${{ steps.login.conclusion != 'skipped' }} + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + image-ref: '${{ env.IMAGE }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - name: Publish + if: ${{ steps.login.conclusion != 'skipped' }} + run: docker push "${IMAGE}:latest" BuildAndPublishCUDADockerImage: name: Build & Publish CUDA Docker Image @@ -149,6 +172,17 @@ jobs: docker image tag "${IMAGE}" "${IMAGE}:${{ matrix.tag }}" docker push "${IMAGE}:${{ matrix.tag }}" + - name: Run Trivy vulnerability scanner + if: ${{ steps.login.conclusion != 'skipped' }} + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + image-ref: '${{ env.IMAGE }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Push Latest Image if: ${{ steps.login.conclusion != 'skipped' && matrix.tag == '11-8' }} run: docker push "${IMAGE}:latest"