Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create an action for scanning APKs for vulnz #115

Merged
merged 1 commit into from
May 28, 2023
Merged

Create an action for scanning APKs for vulnz #115

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/workflows/test-scan-apk.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: test-scan-apk

on: [pull_request]

jobs:
test-unpinned:
runs-on: ubuntu-latest
permissions: {}
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: ./scan-apk
id: scan
with:
package: ko
- run: echo ${{ steps.scan.outputs.vuln-count }}

test-pinned:
runs-on: ubuntu-latest
permissions: {}
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: ./scan-apk
id: scan
with:
package: ko=0.13.0-r4
- run: echo ${{ steps.scan.outputs.vuln-count }}

test-alpine:
runs-on: ubuntu-latest
permissions: {}
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: ./scan-apk
id: scan
with:
repositories: https://dl-cdn.alpinelinux.org/alpine/edge/main
keyring: ""
package: busybox
- run: echo ${{ steps.scan.outputs.vuln-count }}

2 changes: 2 additions & 0 deletions apko-publish/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,9 @@ runs:
APKO_IMAGE="ghcr.io/wolfi-dev/apko:latest"
fi
docker run -i --rm --entrypoint /bin/sh \
--network host \
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to support registries on localhost

-v $PWD:/github/workspace \
-v /tmp:/tmp \
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To support generated apko configs

--workdir /github/workspace \
-e "GITHUB_ACTOR=${{ inputs.repository_owner }}" \
-e "GITHUB_TOKEN=${{ inputs.token }}" \
Expand Down
14 changes: 14 additions & 0 deletions scan-apk/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Scan an APK for Vulnerabilities

This action uses apko to build an ephemeral image and scan it with
[Anchore/Grype](https://github.com/anchore/grype) to identify any
vulnerabilities.


## Usage

```yaml
- uses: chainguard-images/actions/scan-apk@main
with:
package: foo # or foo=1.2.3-r4
```
82 changes: 82 additions & 0 deletions scan-apk/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# Copyright 2022 The Distroless Authors
# SPDX-License-Identifier: Apache-2.0

name: 'Scan APK for vulnerabilities'
description: |
This action scans an APK for vulnerabilities by turning it into an OCI image first.

inputs:

repositories:
description: |
A comma-delimited list of APK repositories to include.
required: false
default: https://packages.wolfi.dev/os

keyring:
description: |
A comma-delimited list of APK keyrings to include.
required: false
default: https://packages.wolfi.dev/os/wolfi-signing.rsa.pub

package:
description: |
The APK to scan for vulnerabilities.
required: true

architecture:
description: |
The architecture to scan the package for vulnerabilities.
required: false
default: "x86_64"

outputs:
vuln-count:
description: Number of vulnerables in Grype scan
value: ${{ steps.scan-report.outputs.vuln-count }}

runs:
using: composite
steps:
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 1234

- shell: bash
id: mkconfig
run: |
TMP=$(mktemp)

cat > "${TMP}" <<EOF
contents:
repositories: $(echo "${{ inputs.repositories }}" | tr -d '[:space:]' | jq --raw-input -c --slurp 'split(",")')
keyring: $(echo "${{ inputs.keyring }}" | tr -d '[:space:]' | jq --raw-input -c --slurp 'split(",")')
packages:
- ${{ inputs.package }}

archs:
- ${{ inputs.architecture }}
EOF

echo "::set-output name=config-file::${TMP}"

- shell: bash
run: |
cat ${{ steps.mkconfig.outputs.config-file }}

- uses: ./apko-publish
with:
config: ${{ steps.mkconfig.outputs.config-file }}
tag: localhost:1234/apk-scan

- id: grype-scan
uses: anchore/scan-action@ecfd0e98932e57ea8f68f29c4f418fc41a8194db
with:
image: localhost:1234/apk-scan
fail-build: false
severity-cutoff: low

- id: scan-report
shell: bash
run: |
echo "::set-output name=vuln-count::$(cat ${{ steps.grype-scan.outputs.sarif }} | jq '.runs[0].results | length')"
Loading