[CI] Add images check with Trivy (#34)

duckhawk · web-flow · commit 9d86ef28d6c2 · 2024-09-02T18:56:11.000+03:00
Signed-off-by: v.oleynikov &lt;vasily.oleynikov@flant.com&gt;
diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml
@@ -15,6 +15,34 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
+      - name: Check and Install Latest Trivy
+        run: |
+          mkdir -p $HOME/bin
+
+          LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
+          CLEAN_VERSION=${LATEST_VERSION#v}
+
+          INSTALL_TRIVY=true
+
+          if [[ -f "$HOME/bin/trivy" ]]; then
+            INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+            if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
+              echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
+              INSTALL_TRIVY=false
+            else
+              echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
+            fi
+          else
+            echo "Trivy is not installed. Installing version $CLEAN_VERSION."
+          fi
+
+          if [ "$INSTALL_TRIVY" = true ]; then
+            wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
+            tar zxvf trivy.tar.gz -C $HOME/bin
+          fi
+
+          echo "$HOME/bin" >> $GITHUB_PATH
+
       - name: Prepare sub repo
         run: |
           version=v`grep "version :=" images/csi-nfs/werf.inc.yaml | awk -F'"' '{ print $2}'`
@@ -25,8 +53,5 @@ jobs:
           cd ..
 
       - name: Run Trivy vulnerability scanner in fs mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          trivy-config: trivy.yaml
+        run: |
+          trivy fs . --quiet --config trivy.yaml
diff --git a/.github/workflows/trivy_image_check.yaml b/.github/workflows/trivy_image_check.yaml
@@ -0,0 +1,79 @@
+name: Trivy images check
+
+env:
+  MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
+  MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
+  PR_NUMBER: ${{ github.event.pull_request.number }}
+  MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }}
+  MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+  MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    name: Trivy images check
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: deckhouse/modules-actions/setup@v1
+
+      - name: Check and Install Latest Trivy
+        run: |
+          mkdir -p $HOME/bin
+
+          LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
+          CLEAN_VERSION=${LATEST_VERSION#v}
+
+          INSTALL_TRIVY=true
+
+          if [[ -f "$HOME/bin/trivy" ]]; then
+            INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+            if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
+              echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
+              INSTALL_TRIVY=false
+            else
+              echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
+            fi
+          else
+            echo "Trivy is not installed. Installing version $CLEAN_VERSION."
+          fi
+
+          if [ "$INSTALL_TRIVY" = true ]; then
+            wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
+            tar zxvf trivy.tar.gz -C $HOME/bin
+          fi
+
+          echo "$HOME/bin" >> $GITHUB_PATH
+
+      - name: Run Trivy vulnerability scanner in image mode
+        run: |
+          exit_code=0
+          image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME
+          image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER
+          
+          crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]')
+          
+          while read -r item; do
+            key=$(echo "$item" | jq -r '.key')
+            value=$(echo "$item" | jq -r '.value')
+
+            echo 'Checking image '$key' '$value
+
+            trivy image --quiet --config trivy-silent.yaml --format table $image_name@$value
+
+            result=$(trivy image --quiet --config trivy-silent.yaml --format json $image_name@$value)
+
+            vulnerabilities=$(echo "$result" | jq '[.Results[]? | select(has("Vulnerabilities")) | .Vulnerabilities | length] | add // 0')
+
+            if [ "$vulnerabilities" -gt 0 ]; then
+              echo "There are vulnerabilities in image"
+              exit_code=1
+            else
+              echo "There are no vulnerabilities in image"
+            fi
+          done <<< "$crane_output"
+
+          exit $exit_code
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -24,7 +24,7 @@ linters:
   - gci
   - gocritic
   - gofmt
-  - goimports
+#  - goimports
   - gosimple
   - govet
   - ineffassign
diff --git a/.werf/images-digests.yaml b/.werf/images-digests.yaml
@@ -5,7 +5,7 @@
 
 {{- range $ImageManifest := regexSplit "\n?---[ \t]*\n" $Images -1 }}
   {{- $ImageManifest := $ImageManifest | fromYaml }}
-  {{- if $ImageManifest.image }}
+  {{- if and $ImageManifest.image (ne ($ImageManifest.final | toJson) "false") }}
     {{- $ImagesIDList = append $ImagesIDList $ImageManifest.image }}
   {{- end }}
 {{- end }}
diff --git a/images/controller/werf.inc.yaml b/images/controller/werf.inc.yaml
@@ -1,9 +1,9 @@
-{{- $_ := set . "BASE_GOLANG_22_ALPINE" "registry.deckhouse.io/base_images/golang:1.22.3-alpine@sha256:dbf216b880b802c22e3f4f2ef0a78396b4a9a6983cb9b767c5efc351ebf946b0" }}
+{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.6-bullseye@sha256:260918a3795372a6d33225d361fe5349723be9667de865a23411b50fbcc76c5a" }}
 {{- $_ := set . "BASE_SCRATCH"    "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}
 
 ---
 image: {{ $.ImageName }}-golang-artifact
-from: {{ $.BASE_GOLANG_22_ALPINE }}
+from: {{ $.BASE_GOLANG }}
 final: false
 
 git:
diff --git a/images/csi-nfs/werf.inc.yaml b/images/csi-nfs/werf.inc.yaml
@@ -1,13 +1,13 @@
 {{- $version := "4.7.0" }}
 
-{{- $_ := set . "BASE_GOLANG_22_ALPINE" "registry.deckhouse.io/base_images/golang:1.22.3-alpine@sha256:dbf216b880b802c22e3f4f2ef0a78396b4a9a6983cb9b767c5efc351ebf946b0" }}
+{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.6-bullseye@sha256:260918a3795372a6d33225d361fe5349723be9667de865a23411b50fbcc76c5a" }}
 {{- $_ := set . "BASE_SCRATCH"    "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}
 {{- $_ := set . "BASE_ALPINE_DEV" "registry.deckhouse.io/base_images/dev-alpine:3.16.3@sha256:c706fa83cc129079e430480369a3f062b8178cac9ec89266ebab753a574aca8e" }}
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.io/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 
 ---
 image: {{ $.ImageName }}-golang-artifact
-from: {{ $.BASE_GOLANG_22_ALPINE }}
+from: {{ $.BASE_GOLANG }}
 final: false
 
 git:
@@ -23,15 +23,14 @@ mount:
   - fromPath: ~/go-pkg-cache
     to: /go/pkg
 shell:
-  beforeInstall:
-    - apk add --no-cache ca-certificates make git
   install:
     - export GO_VERSION={{ env "GOLANG_VERSION" }}
     - export GOPROXY={{ env "GOPROXY" }}
     - git clone --depth 1 --branch v{{ $version }} {{ env "SOURCE_REPO" }}/kubernetes-csi/csi-driver-nfs.git /csi-driver-nfs
     - cd /csi-driver-nfs
     - for patchfile in /patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
     - cd /csi-driver-nfs/cmd/nfsplugin
+    - go mod vendor
     - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /nfsplugin
     - chmod +x /nfsplugin
 
diff --git a/images/webhooks/werf.inc.yaml b/images/webhooks/werf.inc.yaml
@@ -1,9 +1,9 @@
-{{- $_ := set . "BASE_GOLANG_22_ALPINE" "registry.deckhouse.io/base_images/golang:1.22.3-alpine@sha256:dbf216b880b802c22e3f4f2ef0a78396b4a9a6983cb9b767c5efc351ebf946b0" }}
+{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.6-bullseye@sha256:260918a3795372a6d33225d361fe5349723be9667de865a23411b50fbcc76c5a" }}
 {{- $_ := set . "BASE_SCRATCH"    "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}
 
 ---
 image: {{ $.ImageName }}-golang-artifact
-from: {{ $.BASE_GOLANG_22_ALPINE }}
+from: {{ $.BASE_GOLANG }}
 final: false
 
 git:
diff --git a/trivy-silent.yaml b/trivy-silent.yaml
@@ -0,0 +1 @@
+exit-code: 0
