Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add trivy vulnerability scan #134

Draft
wants to merge 28 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
296 changes: 174 additions & 122 deletions .github/workflows/common-docker.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Docker Build and Push
name: Docker Build, Scan and Push

on:
workflow_call:
Expand All @@ -8,69 +8,46 @@ on:
GRAVITON_BUILDER_SSH_PRIVATE_KEY:
required: true
inputs:
ref:
type: string
required: false
default: ""
working-directory:
type: string
required: true
docker-context:
type: string
required: false
default: "."
image-name:
type: string
required: true
image-dev-name:
type: string
required: false
image-dev-description:
type: string
required: false
push_image:
type: boolean
default: true
required: false
runs_on:
type: string
required: false
default: "ubuntu-latest"
generate-dev-image:
type: boolean
default: false
required: false
docker-file:
type: string
default: "ci.dockerfile"
required: false
docker-file-dev:
type: string
default: "dev.dockerfile"
required: false
graviton-build-host:
type: string
required: false
default: "ec2-15-188-101-126.eu-west-3.compute.amazonaws.com"
arm-build:
type: boolean
default: true
required: false
cache-from:
type: string
required: false
default: "type=gha"
cache-to:
type: string
required: false
default: "type=gha,mode=max"
ref: { type: string, default: "" }
working-directory: { type: string, required: true }
docker-context: { type: string, default: "." }
image-name: { type: string, required: true }
push_image: { type: boolean, default: true }
runs_on: { type: string, default: "ubuntu-latest" }
docker-file: { type: string, default: "ci.dockerfile" }
graviton-build-host: { type: string, default: "ec2-15-188-101-126.eu-west-3.compute.amazonaws.com" }
arm-build: { type: boolean, default: true }
cache-from: { type: string, default: "type=gha" }
cache-to: { type: string, default: "type=gha,mode=max" }
outputs:
image_name:
description: "Image Name with Tag generated by this task"
value: "${{ jobs.build-and-push-docker.outputs.image_name }}"
value: "${{ jobs.build.outputs.image_name }}"

jobs:
build-and-push-docker:
setup:
runs-on: ${{ inputs.runs_on }}
outputs:
docker_tag_image: ${{ steps.set-docker-tag.outputs.tag }}
steps:
- uses: actions/checkout@v2
- name: Run hadolint
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
with:
dockerfile: ${{ inputs.working-directory }}/${{ inputs.docker-file }}
failure-threshold: none

- name: Set Docker Tag
id: set-docker-tag
run: |
if [ "${{ github.event_name }}" != "release" ]; then
echo "tag=$(git rev-parse --short "$GITHUB_SHA")" >> $GITHUB_OUTPUT
else
echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
fi

build-amd64:
needs: [setup]
runs-on: ${{ inputs.runs_on }}
outputs:
image_name: ${{ steps.export-image.outputs.image }}
Expand All @@ -80,16 +57,41 @@ jobs:
- name: Checkout Project
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349

- name: Docker Build
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
dockerfile: ${{ inputs.working-directory }}/${{ inputs.docker-file }}
failure-threshold: none
context: ${{ inputs.docker-context }}
platforms: linux/amd64
build-args: |
BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
file: ${{ inputs.working-directory }}/${{ inputs.docker-file }}
push: false
provenance: false
outputs: type=docker, dest=docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-amd64.tar.gz
tags: ghcr.io/zama-ai/${{ inputs.image-name }}:${{ needs.setup.outputs.docker_tag_image }}-amd64
cache-from: ${{ inputs.cache-from }}
cache-to: ${{ inputs.cache-to }}

- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
if: ${{ inputs.generate-dev-image }}
- name: Upload Container Img Tarball as Artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 ## v4.4.3
if: success()
with:
dockerfile: ${{ inputs.working-directory }}/${{ inputs.docker-file-dev }}
failure-threshold: none
name: docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-amd64
path: docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-amd64.tar.gz

build-arm64:
needs: [setup]
runs-on: ${{ inputs.runs_on }}
outputs:
image_name: ${{ steps.export-image.outputs.image }}
env:
HOME: ${{ inputs.runs_on != 'ubuntu-latest' && '/root' || '/home/runner' }}
steps:
- name: Checkout Project
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set up SSH
if: inputs.arm-build
Expand All @@ -103,76 +105,126 @@ jobs:
if: inputs.arm-build
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
with:
platforms: linux/amd64,linux/arm64
platforms: linux/arm64
append: |
- endpoint: "ssh://ec2-user@${{ inputs.graviton-build-host }}"
platforms: linux/arm64

- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Echo github event
run: echo "Github event ==> ${{ github.event_name }}"

- name: Current branch sha
if: github.event_name != 'release'
run: |
echo "DOCKER_TAG_IMAGE=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
- name: Current Tag
if: github.event_name == 'release'
run: |
echo "DOCKER_TAG_IMAGE=${{ github.ref_name }}" >> "$GITHUB_ENV"

- name: Docker Build and Push
- name: Docker Build (arm64)
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
context: ${{ inputs.docker-context }}
platforms: linux/amd64,linux/arm64
platforms: linux/arm64
build-args: |
BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
file: ${{ inputs.working-directory }}/${{ inputs.docker-file }}
push: ${{ inputs.push_image }}
pull: false
tags: ghcr.io/zama-ai/${{ inputs.image-name }}:${{env.DOCKER_TAG_IMAGE }},ghcr.io/zama-ai/${{ inputs.image-name }}:latest
push: false
provenance: false
outputs: type=docker, dest=docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-arm64.tar.gz
tags: |
ghcr.io/zama-ai/${{ inputs.image-name }}:${{ needs.setup.outputs.docker_tag_image }}-arm64
cache-from: ${{ inputs.cache-from }}
cache-to: ${{ inputs.cache-to }}

- name: Upload Container Img Tarball as Artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 ## v4.4.3
if: success()
with:
name: docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-arm64
path: docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-arm64.tar.gz

scan-vulns-docker:
needs: [build-amd64, build-arm64, setup]
runs-on: ubuntu-latest
steps:
- name: Download Container Img Tarball as Artifact (AMD)
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 ## v4
with:
name: docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-amd64
path: _tmp/

- name: Extract Docker metadata
if: ${{ inputs.generate-dev-image }}
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
- name: Download Container Img Tarball as Artifact (ARM)
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 ## v4
with:
annotations: |
org.opencontainers.image.description="${{ inputs.image-dev-description }}"
labels: |
zama.fhevm.version=${{ env.DOCKER_TAG_IMAGE }}
zama.fhevm.description="${{ inputs.image-dev-description }}"
images: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{ env.DOCKER_TAG_IMAGE }}
name: docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-arm64
path: _tmp/

- name: Check Container Image Tarball
run: |
cd _tmp/
mkdir _tar_amd64 _tar_arm64
file docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-amd64.tar.gz
file docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-arm64.tar.gz
tar -xvf docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-amd64.tar.gz -C _tar_amd64/
tar -xvf docker-${{ inputs.image-name }}-${{ needs.setup.outputs.docker_tag_image }}-arm64.tar.gz -C _tar_arm64/
ls -la _tar_amd64/
ls -la _tar_arm64/

- name: Vuln scan in Docker (table)(AMD)
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
with:
scan-type: image
scanners: vuln,secret
input: _tmp/_tar_amd64/
format: table
hide-progress: true
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: index
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1

- name: Docker Build and Push Dev Image
if: ${{ inputs.generate-dev-image }}
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
timeout-minutes: 360
- name: Vuln scan in Docker (table)(ARM)
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
with:
context: ${{ inputs.docker-context }}
platforms: linux/amd64,linux/arm64
build-args: |
BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
file: ${{ inputs.working-directory }}/${{ inputs.docker-file-dev }}
push: ${{ inputs.push_image }}
pull: false
tags: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{env.DOCKER_TAG_IMAGE}},ghcr.io/zama-ai/${{ inputs.image-dev-name }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}

- name: Export image name
id: export-image
run: echo "image=ghcr.io/zama-ai/${{inputs.image-name}}:${{env.DOCKER_TAG_IMAGE}}" >> "${GITHUB_OUTPUT}"
scan-type: image
scanners: vuln,secret
input: _tmp/_tar_arm64/
format: table
hide-progress: true
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1

push-multi-arch:
needs: [setup, build-amd64, build-arm64]
runs-on: ${{ inputs.runs_on }}
steps:
- name: Checkout Project
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set up SSH
if: inputs.arm-build
uses: MrSquaare/ssh-setup-action@2d028b70b5e397cf8314c6eaea229a6c3e34977a # v3.1.0
with:
host: ${{ inputs.graviton-build-host }}
private-key: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }}
private-key-name: docker_builder_arm

- name: Set up Docker Buildx
if: inputs.arm-build
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
with:
platforms: linux/amd64,linux/arm64
append: |
- endpoint: "ssh://ec2-user@${{ inputs.graviton-build-host }}"
platforms: linux/arm64

- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}

- name: Create and push multi-arch image
uses: docker/build-push-action@v3
with:
context: .
build-args: |
BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
file: ${{ inputs.working-directory }}/${{ inputs.docker-file }}
platforms: linux/amd64,linux/arm64
push: true
provenance: false
tags: ghcr.io/zama-ai/${{ inputs.image-name }}:${{ needs.setup.outputs.docker_tag_image }}
cache-from: ${{ inputs.cache-from }}
cache-to: ${{ inputs.cache-to }}
5 changes: 1 addition & 4 deletions .github/workflows/fhevm-smart-contracts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
push:
branches:
- main
- security/trivy
paths:
- .github/workflows/fhevm-smart-contracts.yml
- .github/workflows/common-docker.yml
Expand All @@ -27,11 +28,7 @@ jobs:
working-directory: "."
push_image: true
image-name: "fhevm-smart-contracts"
image-dev-name: "fhevm-smart-contracts-dev"
generate-dev-image: true
docker-file: "contracts/operations/docker/ci.dockerfile"
docker-file-dev: "contracts/operations/docker/dev.dockerfile"
image-dev-description: "fhevm smart contracts dev image"
arm-build: true

secrets:
Expand Down
Loading