From d138ca0f8a96d372998bd62411e7ce4543da8678 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Tue, 30 Jul 2024 12:55:38 +0200
Subject: [PATCH] govulncheck to report known vulnerabilities

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/buildkit.yml          | 32 +++++++++++++++++++++++++
 docker-bake.hcl                         | 15 ++++++++++++
 hack/dockerfiles/govulncheck.Dockerfile | 23 ++++++++++++++++++
 3 files changed, 70 insertions(+)
 create mode 100644 hack/dockerfiles/govulncheck.Dockerfile

diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml
index 3717ee85f07b..09ece22f4cda 100644
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -143,6 +143,38 @@ jobs:
           skip-integration-tests: 1
           typ: integration
 
+  govulncheck:
+    runs-on: ubuntu-24.04
+    permissions:
+      # required to write sarif report
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Run
+        uses: docker/bake-action@v5
+        with:
+          targets: govulncheck
+        env:
+          GOVULNCHECK_FORMAT: sarif
+      -
+        name: Upload SARIF report
+        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
+
   image:
     runs-on: ubuntu-24.04
     needs:
diff --git a/docker-bake.hcl b/docker-bake.hcl
index e439d502a1b0..adb689b83a37 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -281,3 +281,18 @@ target "mod-outdated" {
   no-cache-filter = ["outdated"]
   output = ["type=cacheonly"]
 }
+
+variable "GOVULNCHECK_FORMAT" {
+  default = null
+}
+
+target "govulncheck" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/govulncheck.Dockerfile"
+  target = "output"
+  args = {
+    FORMAT = GOVULNCHECK_FORMAT
+  }
+  no-cache-filter = ["run"]
+  output = ["${DESTDIR}"]
+}
diff --git a/hack/dockerfiles/govulncheck.Dockerfile b/hack/dockerfiles/govulncheck.Dockerfile
new file mode 100644
index 000000000000..c562ffbb55f5
--- /dev/null
+++ b/hack/dockerfiles/govulncheck.Dockerfile
@@ -0,0 +1,23 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="1.22"
+ARG GOVULNCHECK_VERSION="v1.1.3"
+ARG FORMAT="text"
+
+FROM golang:${GO_VERSION}-alpine AS base
+WORKDIR /go/src/github.com/moby/buildkit
+ARG GOVULNCHECK_VERSION
+RUN --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod \
+    go install golang.org/x/vuln/cmd/govulncheck@$GOVULNCHECK_VERSION
+
+FROM base AS run
+ARG FORMAT
+RUN --mount=type=bind,target=. <<EOT
+  set -ex
+  mkdir /out
+  govulncheck -format ${FORMAT} ./... | tee /out/govulncheck.out
+EOT
+
+FROM scratch AS output
+COPY --from=run /out /