chore: update security scanners (#3295)

.docker/Dockerfile-build

@@ -1,22 +1,22 @@
 # syntax = docker/dockerfile:1-experimental
-FROM golang:1.19-alpine3.16 AS base
+FROM golang:1.19-alpine3.18 AS base
 
 RUN apk --update upgrade && apk --no-cache --update-cache --upgrade --latest add ca-certificates build-base gcc
 
 WORKDIR /go/src/github.com/ory/kratos
 
-ADD go.mod go.mod
-ADD go.sum go.sum
-ADD internal/httpclient/go.* internal/httpclient/
-ADD internal/client-go/go.* internal/client-go/
+COPY go.mod go.mod
+COPY go.sum go.sum
+COPY internal/httpclient/go.* internal/httpclient/
+COPY internal/client-go/go.* internal/client-go/
 
 ENV GO111MODULE on
 ENV CGO_ENABLED 1
 ENV CGO_CPPFLAGS -DSQLITE_DEFAULT_FILE_PERMISSIONS=0600
 
 RUN go mod download
 
-ADD . .
+COPY . .
 
 ARG VERSION
 ARG COMMIT
@@ -26,7 +26,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build go build -tags sqlite \
     -ldflags="-X 'github.com/ory/kratos/driver/config.Version=${VERSION}' -X 'github.com/ory/kratos/driver/config.Date=${BUILD_DATE}' -X 'github.com/ory/kratos/driver/config.Commit=${COMMIT}'" \
     -o /usr/bin/kratos
 
-FROM alpine:3.16
+FROM alpine:3.18
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -u 10000 -h /home/ory -s /bin/nologin; \

.github/workflows/cve-scan.yaml

@@ -14,32 +14,35 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Env
         id: vars
         shell: bash
         run: |
-          echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-          echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Build images
         shell: bash
         run: |
-          touch kratos
-          DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-alpine --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} -t oryd/kratos:${{ steps.vars.outputs.sha_short }} .
-          rm kratos
+          IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
       - name: Anchore Scanner
         uses: anchore/scan-action@v3
         id: grype-scan
         with:
-          image: oryd/kratos:${{ steps.vars.outputs.sha_short }}
+          image: oryd/kratos:${{ env.SHA_SHORT }}
           fail-build: true
           severity-cutoff: high
-          debug: false
-          acs-report-enable: true
+          add-cpes-if-none: true
+      - name: Inspect action SARIF report
+        shell: bash
+        if: ${{ always() }}
+        run: |
+          echo "::group::Anchore Scan Details"
+          jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }}
+          echo "::endgroup::"
       - name: Anchore upload scan SARIF report
         if: always()
         uses: github/codeql-action/upload-sarif@v2
@@ -49,16 +52,33 @@ jobs:
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/kratos:${{ steps.vars.outputs.sha_short }}
+          image-ref: oryd/kratos:${{ env.SHA_SHORT }}
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
+          scanners: "vuln,secret,config"
       - name: Dockle Linter
         uses: erzz/dockle-action@v1.3.2
         if: ${{ always() }}
         with:
-          image: oryd/kratos:${{ steps.vars.outputs.sha_short }}
+          image: oryd/kratos:${{ env.SHA_SHORT }}
           exit-code: 42
-          failure-threshold: fatal
+          failure-threshold: high
+      - name: Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        id: hadolint
+        if: ${{ always() }}
+        with:
+          dockerfile: .docker/Dockerfile-build
+          verbose: true
+          format: "json"
+          failure-threshold: "error"
+      - name: View Hadolint results
+        if: ${{ always() }}
+        shell: bash
+        run: |
+          echo "::group::Hadolint Scan Details"
+          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "::endgroup::"

Makefile

@@ -10,6 +10,7 @@ export PWD                := $(shell pwd)
 export BUILD_DATE         := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 export VCS_REF            := $(shell git rev-parse HEAD)
 export QUICKSTART_OPTIONS ?= ""
+export IMAGE_TAG 					:= $(if $(IMAGE_TAG),$(IMAGE_TAG),latest)
 
 GO_DEPENDENCIES = github.com/ory/go-acc \
 				  github.com/golang/mock/mockgen \
@@ -162,7 +163,7 @@ format: .bin/goimports .bin/ory node_modules
 # Build local docker image
 .PHONY: docker
 docker:
-	DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:latest .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:${IMAGE_TAG} .
 
 # Runs the documentation tests
 .PHONY: test-docs