Scan Docker images #614
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Snyk scanning steps are marked continue-on-error because there are often | |
# vulnerabilities that may have no possible remediation (e.g. glibc | |
# vulnerabilities in the Debian base). We want to be *informed* about the | |
# vulns, but we cannot have them be blockers to releasing images. | |
name: Scan Docker images | |
on: | |
workflow_dispatch: {} | |
schedule: | |
- cron: "0 0 * * *" | |
env: | |
DOCKER_ORG: pulumi | |
DOCKER_USERNAME: pulumibot | |
DISPATCH_REF: ${{ github.event.client_payload.ref }} | |
jobs: | |
kitchen-sink: | |
name: All SDKs images | |
runs-on: ubuntu-latest | |
strategy: | |
# Try to complete the scan for all images, even if one fails. | |
fail-fast: false | |
matrix: | |
suffix: ["", "-nonroot"] | |
arch: ["amd64", "arm64"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Free Disk Space (Ubuntu) | |
uses: jlumbroso/free-disk-space@main | |
with: | |
tool-cache: false | |
- name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-${{ matrix.arch }} | |
args: --severity-threshold=high --file=docker/pulumi/Dockerfile | |
- name: Filter Sarif File | |
run: python ./.github/scripts/filter-sarif.py | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: out.sarif | |
provider-build-environment: | |
name: Provider Build Environment | |
runs-on: ubuntu-latest | |
strategy: | |
# Try to complete the scan for all images, even if one fails. | |
fail-fast: false | |
matrix: | |
arch: ["amd64", "arm64"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Free Disk Space (Ubuntu) | |
uses: jlumbroso/free-disk-space@main | |
with: | |
tool-cache: false | |
- name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-${{ matrix.arch }} | |
args: --severity-threshold=high --file=docker/pulumi/Dockerfile | |
- name: Filter Sarif File | |
run: python ./.github/scripts/filter-sarif.py | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: out.sarif | |
base: | |
name: Base image | |
runs-on: ubuntu-latest | |
strategy: | |
# Try to complete the scan for all images, even if one fails. | |
fail-fast: false | |
matrix: | |
os: ["debian", "ubi"] | |
arch: ["arm64", "amd64"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }}-${{ matrix.arch }} | |
args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }} --platform=linux/${{ matrix.arch }} | |
- name: Filter Sarif File | |
run: python ./.github/scripts/filter-sarif.py | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: out.sarif | |
define-debian-matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.define-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@master | |
- name: Define Matrix | |
id: define-matrix | |
run: | | |
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT" | |
debian-sdk: | |
name: Debian SDK images | |
runs-on: ubuntu-latest | |
needs: define-debian-matrix | |
strategy: | |
# Try to complete the scan for all images, even if one fails. | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.define-debian-matrix.outputs.matrix) }} | |
steps: | |
- uses: actions/checkout@master | |
- name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Set image name | |
run: | | |
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.IMAGE_NAME }} | |
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/${{ matrix.arch }} | |
- name: Filter Sarif File | |
run: python ./.github/scripts/filter-sarif.py | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: out.sarif | |
ubi-sdk: | |
name: UBI SDK images | |
runs-on: ubuntu-latest | |
strategy: | |
# Try to complete the scan for all images, even if one fails. | |
fail-fast: false | |
matrix: | |
sdk: ["nodejs", "python", "dotnet", "go"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
username: ${{ env.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi | |
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi --platform=linux/amd64 | |
- name: Filter Sarif File | |
run: python ./.github/scripts/filter-sarif.py | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: out.sarif |