From ca09b012f4fd1de80ba8bc9ddb127699dbf53fc4 Mon Sep 17 00:00:00 2001 From: RyanHolstien Date: Tue, 8 Oct 2024 12:51:39 -0500 Subject: [PATCH 1/2] feat(scan): add scanning to setup images --- .github/workflows/docker-unified.yml | 99 ++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/.github/workflows/docker-unified.yml b/.github/workflows/docker-unified.yml index ceee59215e431..1f4d0ca730ec7 100644 --- a/.github/workflows/docker-unified.yml +++ b/.github/workflows/docker-unified.yml @@ -480,6 +480,39 @@ jobs: context: . file: ./docker/kafka-setup/Dockerfile platforms: linux/amd64,linux/arm64/v8 + kafka_setup_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: "[Monitoring] Scan GMS images for vulnerabilities" + runs-on: ubuntu-latest + needs: [ setup, kafka_setup_build ] + if: ${{ needs.setup.outputs.kafka_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true') }} + steps: + - name: Checkout # adding checkout step just to make trivy upload happy + uses: acryldata/sane-checkout-action@v3 + - name: Download image + uses: ishworkh/docker-image-artifact-download@v1 + if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }} + with: + image: ${{ env.DATAHUB_KAFKA_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.25.0 + env: + TRIVY_OFFLINE_SCAN: true + with: + image-ref: ${{ env.DATAHUB_KAFKA_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + ignore-unfixed: true + vuln-type: "os,library" + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" mysql_setup_build: name: Build and Push DataHub MySQL Setup Docker Image @@ -501,6 +534,39 @@ jobs: context: . file: ./docker/mysql-setup/Dockerfile platforms: linux/amd64,linux/arm64/v8 + mysql_setup_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: "[Monitoring] Scan GMS images for vulnerabilities" + runs-on: ubuntu-latest + needs: [ setup, mysql_setup_build ] + if: ${{ needs.setup.outputs.mysql_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true') }} + steps: + - name: Checkout # adding checkout step just to make trivy upload happy + uses: acryldata/sane-checkout-action@v3 + - name: Download image + uses: ishworkh/docker-image-artifact-download@v1 + if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }} + with: + image: ${{ env.DATAHUB_MYSQL_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.25.0 + env: + TRIVY_OFFLINE_SCAN: true + with: + image-ref: ${{ env.DATAHUB_MYSQL_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + ignore-unfixed: true + vuln-type: "os,library" + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" elasticsearch_setup_build: name: Build and Push DataHub Elasticsearch Setup Docker Image @@ -522,6 +588,39 @@ jobs: context: . file: ./docker/elasticsearch-setup/Dockerfile platforms: linux/amd64,linux/arm64/v8 + elasticsearch_setup_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: "[Monitoring] Scan GMS images for vulnerabilities" + runs-on: ubuntu-latest + needs: [ setup, elasticsearch_setup_build ] + if: ${{ needs.setup.outputs.elasticsearch_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' ) }} + steps: + - name: Checkout # adding checkout step just to make trivy upload happy + uses: acryldata/sane-checkout-action@v3 + - name: Download image + uses: ishworkh/docker-image-artifact-download@v1 + if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }} + with: + image: ${{ env.DATAHUB_ELASTIC_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.25.0 + env: + TRIVY_OFFLINE_SCAN: true + with: + image-ref: ${{ env.DATAHUB_ELASTIC_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + ignore-unfixed: true + vuln-type: "os,library" + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" datahub_ingestion_base_build: name: Build and Push DataHub Ingestion (Base) Docker Image From 3f0bce20f11dcd8d2c2bb41f6b063cc01b7d623c Mon Sep 17 00:00:00 2001 From: RyanHolstien Date: Tue, 8 Oct 2024 12:53:50 -0500 Subject: [PATCH 2/2] fix naming --- .github/workflows/docker-unified.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-unified.yml b/.github/workflows/docker-unified.yml index 1f4d0ca730ec7..d1c16b567158a 100644 --- a/.github/workflows/docker-unified.yml +++ b/.github/workflows/docker-unified.yml @@ -485,7 +485,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: "[Monitoring] Scan GMS images for vulnerabilities" + name: "[Monitoring] Scan Kafka Setup images for vulnerabilities" runs-on: ubuntu-latest needs: [ setup, kafka_setup_build ] if: ${{ needs.setup.outputs.kafka_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true') }} @@ -539,7 +539,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: "[Monitoring] Scan GMS images for vulnerabilities" + name: "[Monitoring] Scan MySQL Setup images for vulnerabilities" runs-on: ubuntu-latest needs: [ setup, mysql_setup_build ] if: ${{ needs.setup.outputs.mysql_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true') }} @@ -593,7 +593,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: "[Monitoring] Scan GMS images for vulnerabilities" + name: "[Monitoring] Scan ElasticSearch setup images for vulnerabilities" runs-on: ubuntu-latest needs: [ setup, elasticsearch_setup_build ] if: ${{ needs.setup.outputs.elasticsearch_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' ) }}