Skip to content

Scan Docker images #614

Scan Docker images

Scan Docker images #614

Workflow file for this run

# Snyk scanning steps are marked continue-on-error because there are often
# vulnerabilities that may have no possible remediation (e.g. glibc
# vulnerabilities in the Debian base). We want to be *informed* about the
# vulns, but we cannot have them be blockers to releasing images.
name: Scan Docker images
on:
workflow_dispatch: {}
schedule:
- cron: "0 0 * * *"
env:
DOCKER_ORG: pulumi
DOCKER_USERNAME: pulumibot
DISPATCH_REF: ${{ github.event.client_payload.ref }}
jobs:
kitchen-sink:
name: All SDKs images
runs-on: ubuntu-latest
strategy:
# Try to complete the scan for all images, even if one fails.
fail-fast: false
matrix:
suffix: ["", "-nonroot"]
arch: ["amd64", "arm64"]
steps:
- uses: actions/checkout@master
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-${{ matrix.arch }}
args: --severity-threshold=high --file=docker/pulumi/Dockerfile
- name: Filter Sarif File
run: python ./.github/scripts/filter-sarif.py
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out.sarif
provider-build-environment:
name: Provider Build Environment
runs-on: ubuntu-latest
strategy:
# Try to complete the scan for all images, even if one fails.
fail-fast: false
matrix:
arch: ["amd64", "arm64"]
steps:
- uses: actions/checkout@master
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-${{ matrix.arch }}
args: --severity-threshold=high --file=docker/pulumi/Dockerfile
- name: Filter Sarif File
run: python ./.github/scripts/filter-sarif.py
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out.sarif
base:
name: Base image
runs-on: ubuntu-latest
strategy:
# Try to complete the scan for all images, even if one fails.
fail-fast: false
matrix:
os: ["debian", "ubi"]
arch: ["arm64", "amd64"]
steps:
- uses: actions/checkout@master
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }}-${{ matrix.arch }}
args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }} --platform=linux/${{ matrix.arch }}
- name: Filter Sarif File
run: python ./.github/scripts/filter-sarif.py
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out.sarif
define-debian-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.define-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@master
- name: Define Matrix
id: define-matrix
run: |
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT"
debian-sdk:
name: Debian SDK images
runs-on: ubuntu-latest
needs: define-debian-matrix
strategy:
# Try to complete the scan for all images, even if one fails.
fail-fast: false
matrix: ${{ fromJSON(needs.define-debian-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@master
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Set image name
run: |
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.IMAGE_NAME }}
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/${{ matrix.arch }}
- name: Filter Sarif File
run: python ./.github/scripts/filter-sarif.py
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out.sarif
ubi-sdk:
name: UBI SDK images
runs-on: ubuntu-latest
strategy:
# Try to complete the scan for all images, even if one fails.
fail-fast: false
matrix:
sdk: ["nodejs", "python", "dotnet", "go"]
steps:
- uses: actions/checkout@master
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi --platform=linux/amd64
- name: Filter Sarif File
run: python ./.github/scripts/filter-sarif.py
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out.sarif