From f016d30b0888bd2d9d3d3506a944dcf9712d2aea Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Thu, 12 Sep 2024 09:45:17 -0700 Subject: [PATCH 1/2] Add trivy scanning to PR reports (#6806) * Add trivy GHA workflow for scanning rke2-runtime image Signed-off-by: Derek Nola * Use customer runners Signed-off-by: Derek Nola --------- Signed-off-by: Derek Nola --- .github/workflows/trivy.yaml | 72 ++++++++++++++++++++++++++++++++++++ scripts/build-image-runtime | 2 +- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000000..7a9d37e460 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,72 @@ +name: PR Comment Triggered Trivy Scan + +on: + issue_comment: + types: [created] + +jobs: + trivy_scan: + if: github.event.issue.pull_request && github.event.comment.body == '/trivy' && github.event.issue.state == 'open' + runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }} + permissions: + pull-requests: write + env: + GH_TOKEN: ${{ github.token }} + steps: + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: refs/pull/${{ github.event.issue.number }}/head + + - name: Comment Status on PR + run: | + gh repo set-default ${{ github.repository }} + gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: " + + # We don't care about the go version, as we only use it to capture ENV vars + - name: Install Go + uses: ./.github/actions/setup-go + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build RKE2 Image + id: build-image + run: | + SKIP_WINDOWS=true make build-image-runtime + TAG=$(docker images --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep "rancher/rke2-runtime" | sort -k2 -r | head -n1 | awk '{print $1}') + echo "TAG=${TAG}" >> "$GITHUB_OUTPUT" + + - name: Run Trivy on image + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: '${{ steps.build-image.outputs.TAG }}' + format: 'table' + severity: "HIGH,CRITICAL" + output: "trivy-image-report.txt" + + - name: Run Trivy on filesystem + uses: aquasecurity/trivy-action@0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + severity: "HIGH,CRITICAL" + output: "trivy-fs-report.txt" + + - name: Add Trivy Report to PR + run: | + sudo chown runner:runner trivy-image-report.txt trivy-fs-report.txt + cat trivy-image-report.txt trivy-fs-report.txt > trivy-report.txt + if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then + echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt + echo '```' >> trivy-report.txt + gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt + else + echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt + gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt + fi + + - name: Report Failure + if: ${{ failure() }} + run: | + gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:" \ No newline at end of file diff --git a/scripts/build-image-runtime b/scripts/build-image-runtime index c11896735e..ed8f143d0e 100755 --- a/scripts/build-image-runtime +++ b/scripts/build-image-runtime @@ -18,7 +18,7 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \ --file Dockerfile \ . -if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ]; then +if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ] && [ -z "$SKIP_WINDOWS" ]; then DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \ --build-arg TAG=${VERSION} \ --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \ From 9455892fa19b5b5df95ed865fa573c767720abed Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Tue, 24 Sep 2024 10:19:05 -0700 Subject: [PATCH 2/2] Breakup trivy scan into isolated jobs Signed-off-by: Derek Nola --- .github/workflows/trivy.yaml | 96 ++++++++++++++++++++++++++---------- 1 file changed, 70 insertions(+), 26 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 7a9d37e460..d4cdc44fa3 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -9,20 +9,32 @@ jobs: if: github.event.issue.pull_request && github.event.comment.body == '/trivy' && github.event.issue.state == 'open' runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }} permissions: - pull-requests: write - env: - GH_TOKEN: ${{ github.token }} + pull-requests: read steps: + - name: Check if comment author is a public member of rancher organization + uses: actions/github-script@v7 + with: + # Catch 404 errors if user is not a member of the organization + # 302 is expected as the GHA is not a member of the organization + # Users must be set their membership to public for this to work + # https://github.com/orgs/rancher/people + script: | + const org = context.repo.owner; + const username = context.payload.comment.user.login; + try { + const result = await github.rest.orgs.checkMembershipForUser({ + org, + username, + }); + } catch (error) { + core.setFailed(`User ${username} is not an public member of the ${org} organization`); + } + - name: Checkout PR code uses: actions/checkout@v4 with: ref: refs/pull/${{ github.event.issue.number }}/head - - - name: Comment Status on PR - run: | - gh repo set-default ${{ github.repository }} - gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: " - + # We don't care about the go version, as we only use it to capture ENV vars - name: Install Go uses: ./.github/actions/setup-go @@ -53,20 +65,52 @@ jobs: severity: "HIGH,CRITICAL" output: "trivy-fs-report.txt" - - name: Add Trivy Report to PR - run: | - sudo chown runner:runner trivy-image-report.txt trivy-fs-report.txt - cat trivy-image-report.txt trivy-fs-report.txt > trivy-report.txt - if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then - echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt - echo '```' >> trivy-report.txt - gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt - else - echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt - gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt - fi - - - name: Report Failure - if: ${{ failure() }} - run: | - gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:" \ No newline at end of file + - name: Upload Trivy Reports + uses: actions/upload-artifact@v4 + with: + name: trivy-report + path: | + trivy-image-report.txt + trivy-fs-report.txt + retention-days: 2 + if-no-files-found: error + + trivy_report: + needs: trivy_scan + runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }} + permissions: + pull-requests: write + env: + GH_TOKEN: ${{ github.token }} + GH_REPO: ${{ github.repository }} + steps: + - name: Download Trivy Report + uses: actions/download-artifact@v4 + with: + name: trivy-report + + - name: Add Trivy Report to PR + run: | + cat trivy-image-report.txt trivy-fs-report.txt > trivy-report.txt + if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then + echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt + echo '```' >> trivy-report.txt + gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt + else + echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt + gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt + fi + + trivy_failure: + needs: trivy_scan + runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }} + if: always() && needs.trivy_scan.result == 'failure' + permissions: + pull-requests: write + env: + GH_TOKEN: ${{ github.token }} + GH_REPO: ${{ github.repository }} + steps: + - name: Report Failure + run: | + gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:" \ No newline at end of file