From 9213bc82739f1a850c2439660304d7490b118dde Mon Sep 17 00:00:00 2001 From: Julien Date: Thu, 19 Dec 2024 11:26:00 +0100 Subject: [PATCH] Fix Snyk scanning and upload results (#343) Fix scanning for all images by correctly setting the platform. Scan results are upload to GitHub code scanning. --- .github/scripts/filter-sarif.py | 20 +++++++++ .github/workflows/snyk-scan.yml | 77 +++++++++++++++++++++++++++++---- 2 files changed, 88 insertions(+), 9 deletions(-) create mode 100644 .github/scripts/filter-sarif.py diff --git a/.github/scripts/filter-sarif.py b/.github/scripts/filter-sarif.py new file mode 100644 index 00000000..efaee1e7 --- /dev/null +++ b/.github/scripts/filter-sarif.py @@ -0,0 +1,20 @@ +#!/usr/bin/python +# GitHub Code Scanning does not allow more than 20 runs per file. We filter out +# empty runs to avoid this limit. Note that the file needs to include at least +# one run. + +import json + +with open("snyk.sarif") as f: + sarif = json.load(f) + + # Remove runs with no results + runs = [run for run in sarif["runs"] if len(run["results"]) > 0] + + # Keep at least one run + runs = runs if len(runs) > 0 else [sarif["runs"][0]] + + sarif["runs"] = runs + + with open("out.sarif", "w") as out: + json.dump(sarif, out, indent=2) diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml index b69423c7..c1d9f70e 100644 --- a/.github/workflows/snyk-scan.yml +++ b/.github/workflows/snyk-scan.yml @@ -17,14 +17,16 @@ jobs: name: All SDKs images runs-on: ubuntu-latest strategy: + # Try to complete the scan for all images, even if one fails. + fail-fast: false matrix: - image: ["pulumi", "pulumi-provider-build-environment"] - include: - # For the pulumi image add a the nonroot variant - - suffix: -nonroot - image: pulumi + suffix: ["", "-nonroot"] steps: - uses: actions/checkout@master + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@main + with: + tool-cache: false - name: Set version run: | [ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV @@ -34,13 +36,47 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: ${{ env.DOCKER_ORG }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }} + image: ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 args: --severity-threshold=high --file=docker/pulumi/Dockerfile + - name: Filter Sarif File + run: python ./.github/scripts/filter-sarif.py + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: out.sarif + + provider-build-environment: + name: Provider Build Environment + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@main + with: + tool-cache: false + - name: Set version + run: | + [ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV + - name: Snyk scan + continue-on-error: true + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-amd64 + args: --severity-threshold=high --file=docker/pulumi/Dockerfile + - name: Filter Sarif File + run: python ./.github/scripts/filter-sarif.py + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: out.sarif base: name: Base image runs-on: ubuntu-latest strategy: + # Try to complete the scan for all images, even if one fails. fail-fast: false matrix: os: ["debian", "ubi"] @@ -57,7 +93,14 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }}-${{ matrix.arch }} - args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }} + args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }} --platform=linux/${{ matrix.arch }} + - name: Filter Sarif File + run: python ./.github/scripts/filter-sarif.py + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: out.sarif + define-debian-matrix: runs-on: ubuntu-latest outputs: @@ -68,11 +111,13 @@ jobs: id: define-matrix run: | echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT" + debian-sdk: name: Debian SDK images runs-on: ubuntu-latest needs: define-debian-matrix strategy: + # Try to complete the scan for all images, even if one fails. fail-fast: false matrix: ${{ fromJSON(needs.define-debian-matrix.outputs.matrix) }} steps: @@ -90,11 +135,19 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: ${{ env.IMAGE_NAME }} - args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian + args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/${{ matrix.arch }} + - name: Filter Sarif File + run: python ./.github/scripts/filter-sarif.py + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: out.sarif + ubi-sdk: name: UBI SDK images runs-on: ubuntu-latest strategy: + # Try to complete the scan for all images, even if one fails. fail-fast: false matrix: sdk: ["nodejs", "python", "dotnet", "go"] @@ -110,4 +163,10 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi - args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi + args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi --platform=linux/amd64 + - name: Filter Sarif File + run: python ./.github/scripts/filter-sarif.py + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: out.sarif