From ac96a9690510db24de3533baefc6656e369162a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20B=C5=82aszczyk?= Date: Tue, 30 May 2023 10:52:52 +0200 Subject: [PATCH] chore: update security scanners (#3295) --- .docker/Dockerfile-build | 14 +++++----- .github/workflows/cve-scan.yaml | 48 +++++++++++++++++++++++---------- Makefile | 3 ++- 3 files changed, 43 insertions(+), 22 deletions(-) diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build index f320f3e68e4..7b4fc93e8b7 100644 --- a/.docker/Dockerfile-build +++ b/.docker/Dockerfile-build @@ -1,14 +1,14 @@ # syntax = docker/dockerfile:1-experimental -FROM golang:1.19-alpine3.16 AS base +FROM golang:1.19-alpine3.18 AS base RUN apk --update upgrade && apk --no-cache --update-cache --upgrade --latest add ca-certificates build-base gcc WORKDIR /go/src/github.com/ory/kratos -ADD go.mod go.mod -ADD go.sum go.sum -ADD internal/httpclient/go.* internal/httpclient/ -ADD internal/client-go/go.* internal/client-go/ +COPY go.mod go.mod +COPY go.sum go.sum +COPY internal/httpclient/go.* internal/httpclient/ +COPY internal/client-go/go.* internal/client-go/ ENV GO111MODULE on ENV CGO_ENABLED 1 @@ -16,7 +16,7 @@ ENV CGO_CPPFLAGS -DSQLITE_DEFAULT_FILE_PERMISSIONS=0600 RUN go mod download -ADD . . +COPY . . ARG VERSION ARG COMMIT @@ -26,7 +26,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build go build -tags sqlite \ -ldflags="-X 'github.com/ory/kratos/driver/config.Version=${VERSION}' -X 'github.com/ory/kratos/driver/config.Date=${BUILD_DATE}' -X 'github.com/ory/kratos/driver/config.Commit=${COMMIT}'" \ -o /usr/bin/kratos -FROM alpine:3.16 +FROM alpine:3.18 RUN addgroup -S ory; \ adduser -S ory -G ory -D -u 10000 -h /home/ory -s /bin/nologin; \ diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 61d63df3491..8943b520bf8 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -14,32 +14,35 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup Env id: vars shell: bash run: | - echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" - echo "::set-output name=sha_short::$(git rev-parse --short HEAD)" + echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: Build images shell: bash run: | - touch kratos - DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-alpine --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} -t oryd/kratos:${{ steps.vars.outputs.sha_short }} . - rm kratos + IMAGE_TAG="${{ env.SHA_SHORT }}" make docker - name: Anchore Scanner uses: anchore/scan-action@v3 id: grype-scan with: - image: oryd/kratos:${{ steps.vars.outputs.sha_short }} + image: oryd/kratos:${{ env.SHA_SHORT }} fail-build: true severity-cutoff: high - debug: false - acs-report-enable: true + add-cpes-if-none: true + - name: Inspect action SARIF report + shell: bash + if: ${{ always() }} + run: | + echo "::group::Anchore Scan Details" + jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }} + echo "::endgroup::" - name: Anchore upload scan SARIF report if: always() uses: github/codeql-action/upload-sarif@v2 @@ -49,16 +52,33 @@ jobs: uses: aquasecurity/trivy-action@master if: ${{ always() }} with: - image-ref: oryd/kratos:${{ steps.vars.outputs.sha_short }} + image-ref: oryd/kratos:${{ env.SHA_SHORT }} format: "table" exit-code: "42" ignore-unfixed: true vuln-type: "os,library" severity: "CRITICAL,HIGH" + scanners: "vuln,secret,config" - name: Dockle Linter uses: erzz/dockle-action@v1.3.2 if: ${{ always() }} with: - image: oryd/kratos:${{ steps.vars.outputs.sha_short }} + image: oryd/kratos:${{ env.SHA_SHORT }} exit-code: 42 - failure-threshold: fatal + failure-threshold: high + - name: Hadolint + uses: hadolint/hadolint-action@v3.1.0 + id: hadolint + if: ${{ always() }} + with: + dockerfile: .docker/Dockerfile-build + verbose: true + format: "json" + failure-threshold: "error" + - name: View Hadolint results + if: ${{ always() }} + shell: bash + run: | + echo "::group::Hadolint Scan Details" + echo "${HADOLINT_RESULTS}" | jq '.' + echo "::endgroup::" diff --git a/Makefile b/Makefile index 8ededd59d0d..cbc64548403 100644 --- a/Makefile +++ b/Makefile @@ -10,6 +10,7 @@ export PWD := $(shell pwd) export BUILD_DATE := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ") export VCS_REF := $(shell git rev-parse HEAD) export QUICKSTART_OPTIONS ?= "" +export IMAGE_TAG := $(if $(IMAGE_TAG),$(IMAGE_TAG),latest) GO_DEPENDENCIES = github.com/ory/go-acc \ github.com/golang/mock/mockgen \ @@ -162,7 +163,7 @@ format: .bin/goimports .bin/ory node_modules # Build local docker image .PHONY: docker docker: - DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:latest . + DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:${IMAGE_TAG} . # Runs the documentation tests .PHONY: test-docs