From 0061ca5cb7c089d98b53996a7a3167fd533673ae Mon Sep 17 00:00:00 2001 From: Pedro Guimaraes Date: Thu, 25 Jan 2024 11:41:14 +0100 Subject: [PATCH] Add first changes for trivy --- .github/workflows/build.yaml | 56 ++++++++++++++++++++++++++++++++++++ .github/workflows/ci.yaml | 54 +--------------------------------- .github/workflows/trivy.yaml | 50 ++++++++++++++++++++++++++++++++ rockcraft.yaml | 2 +- 4 files changed, 108 insertions(+), 54 deletions(-) create mode 100644 .github/workflows/build.yaml create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..80837f6 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,56 @@ +name: Build ROCK +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +on: + pull_request: + workflow_call: + outputs: + rock: + description: "The rock output of build process." + value: ${{ jobs.build.outputs.rock }} + +jobs: + build: + name: Build Rock + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Setup LXD + uses: canonical/setup-lxd@main + + - name: Install dependencies + run: | + # docker + sudo snap install docker + sudo addgroup --system docker; sudo adduser $USER docker + newgrp docker + sudo snap disable docker; sudo snap enable docker + + # skopeo + sudo snap install --devmode --channel edge skopeo + + # rockcraft + sudo snap install rockcraft --classic --edge + + # jq and yq + sudo snap install jq yq + + - name: Build ROCK + id: build + run: | + rockcraft pack --verbose + VERSION=$(yq '.version' rockcraft.yaml) + echo "rock=charmed-opensearch_${VERSION}_amd64.rock" >> $GITHUB_OUTPUT + + - name: Upload locally built ROCK artifact + uses: actions/upload-artifact@v3 + with: + name: charmed-opensearch + path: ${{ steps.build.outputs.rock }} + + outputs: + rock: ${{ steps.build.outputs.rock }} \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0d7bbf2..adb1320 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,59 +11,7 @@ on: jobs: build: - name: Build Rock - runs-on: ubuntu-latest - timeout-minutes: 30 - outputs: - rock-file: ${{ steps.build-snap.outputs.rock }} - steps: - - name: Checkout repo - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Setup LXD - uses: canonical/setup-lxd@main - - - name: Install required dependencies - run: | - # docker - sudo snap install docker - sudo addgroup --system docker; sudo adduser $USER docker - newgrp docker - sudo snap disable docker; sudo snap enable docker - - # skopeo - sudo snap install --devmode --channel edge skopeo - - # rockcraft - sudo snap install rockcraft --classic --edge - - # jq and yq - sudo snap install jq yq - - - name: Upgrade linux deps with security updates - run: | - sudo apt-get update - - # install security updates - sudo apt-get -s dist-upgrade \ - | grep "^Inst" \ - | grep -i securi \ - | awk -F " " {'print $2'} \ - | xargs sudo apt-get install -y - - sudo apt-get autoremove -y - - - name: Build rock - run: | - rockcraft pack --verbose - - - name: Upload built rock job artifact - uses: actions/upload-artifact@v3 - with: - name: charmed_opensearch_rock_amd64 - path: "charmed-opensearch_*.rock" + uses: ./.github/workflows/build.yaml test: name: Test Rock diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..f881e5a --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,50 @@ +name: Trivy Security Scanner +on: + push: + branches: + - main + schedule: + - cron: '53 0 * * *' # Daily at 00:53 UTC + pull_request: + +jobs: + build: + uses: ./.github/workflows/build.yaml + + scan: + name: Trivy scan + needs: + - build + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install skopeo + run: | + sudo snap install --devmode --channel edge skopeo + sudo snap install yq + + - uses: actions/download-artifact@v3 + with: + name: charmed-opensearch + + - name: Import locally + run: | + sudo skopeo --insecure-policy copy \ + oci-archive:${{ needs.build.outputs.rock }} \ + docker-daemon:trivy/charmed-opensearch:test + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'trivy/charmed-opensearch:test' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'MEDIUM,HIGH,CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/rockcraft.yaml b/rockcraft.yaml index 6ee64e6..55fd14e 100644 --- a/rockcraft.yaml +++ b/rockcraft.yaml @@ -1,7 +1,7 @@ # Copyright 2023 Canonical Ltd. # See LICENSE file for licensing details. name: charmed-opensearch # the name of your ROCK -base: ubuntu:22.04 # the base environment for this ROCK +base: ubuntu@22.04 # the base environment for this ROCK license: Apache-2.0 version: '2.10.0' # just for humans. Semantic versioning is recommended