From 5025c4357b4994c9dea2d83132637371a2177a6e Mon Sep 17 00:00:00 2001 From: arnfinn Date: Mon, 7 Oct 2024 11:27:30 +0200 Subject: [PATCH 01/12] Snyk-scan: dytt image til github registry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Snyk må ha et image å hente ned for å scanne det. Ellers henter Snyk bare gammelt image fra docker-hub. Fikses ved å først dytte image til github sitt docker registry, og så hente ned igjen for scanning. --- .github/workflows/snyk.yml | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 915a587..bfc720f 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -19,6 +19,8 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest + env: + GITHUB_REGISTRY: ghcr.io strategy: fail-fast: false matrix: @@ -28,15 +30,31 @@ jobs: name: ${{ matrix.config.name }} steps: - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.6.1 + - name: Log in to the Container registry 📦 + uses: docker/login-action@v3.3.0 + with: + registry: ${{ env.GITHUB_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Prepare tags + id: docker_meta + uses: docker/metadata-action@v5.5.1 + with: + images: rapporteket/${{ matrix.config.name }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=schedule,pattern=weekly + type=semver,pattern={{version}} + - name: Build docker image uses: docker/build-push-action@v6.9.0 with: context: ./${{ matrix.config.name }}/. file: ./${{ matrix.config.name }}/Dockerfile - push: false - tags: rapporteket/${{ matrix.config.name }} + push: true + tags: ${{ steps.docker_meta.outputs.tags }} + labels: ${{ steps.docker_meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - name: Run Snyk to check Docker image for vulnerabilities @@ -47,7 +65,7 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: rapporteket/${{ matrix.config.name }} + image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 @@ -60,7 +78,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: command: monitor - image: rapporteket/${{ matrix.config.name }} + image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical --org=b034af62-43be-40c7-95e8-fdc56d6f3092 - name: Accept only vulnerability levels below critical continue-on-error: false @@ -68,5 +86,5 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: rapporteket/${{ matrix.config.name }} + image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical From 23347ac9cd91bb788add854143b7aa5290ea36ed Mon Sep 17 00:00:00 2001 From: arnfinn Date: Mon, 7 Oct 2024 11:31:48 +0200 Subject: [PATCH 02/12] =?UTF-8?q?buildx=20n=C3=B8dvendig=3F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/snyk.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index bfc720f..befd106 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -46,7 +46,8 @@ jobs: type=ref,event=pr type=schedule,pattern=weekly type=semver,pattern={{version}} - + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.6.1 - name: Build docker image uses: docker/build-push-action@v6.9.0 with: From e20c3a4ac17caeeb7157d5a0466058504895088c Mon Sep 17 00:00:00 2001 From: arnfinn Date: Mon, 7 Oct 2024 14:19:28 +0200 Subject: [PATCH 03/12] dytt til riktig register --- .github/workflows/snyk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index befd106..9d383e4 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -54,7 +54,7 @@ jobs: context: ./${{ matrix.config.name }}/. file: ./${{ matrix.config.name }}/Dockerfile push: true - tags: ${{ steps.docker_meta.outputs.tags }} + tags: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} labels: ${{ steps.docker_meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max From dfde02edc4af72d0ba3f889c86ae20cfab1cdfe5 Mon Sep 17 00:00:00 2001 From: arnfinn Date: Mon, 7 Oct 2024 14:25:15 +0200 Subject: [PATCH 04/12] dropp labels --- .github/workflows/snyk.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 9d383e4..5421787 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -55,7 +55,6 @@ jobs: file: ./${{ matrix.config.name }}/Dockerfile push: true tags: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} - labels: ${{ steps.docker_meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - name: Run Snyk to check Docker image for vulnerabilities From d75ea791e7436a69c0baf28be249c427fdd5984f Mon Sep 17 00:00:00 2001 From: arnfinn Date: Mon, 7 Oct 2024 14:28:26 +0200 Subject: [PATCH 05/12] skrivetilgang --- .github/workflows/snyk.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 5421787..c460ebe 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -11,6 +11,7 @@ on: permissions: contents: read + packages: write jobs: snyk: From b2f8e9dac70e765ac62d0e9f261b08dfb2122f84 Mon Sep 17 00:00:00 2001 From: arnfinn Date: Mon, 7 Oct 2024 14:29:53 +0200 Subject: [PATCH 06/12] =?UTF-8?q?pr=C3=B8v=20med=20github.token?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/snyk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index c460ebe..c25b9a5 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -36,7 +36,7 @@ jobs: with: registry: ${{ env.GITHUB_REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ github.token }} - name: Prepare tags id: docker_meta uses: docker/metadata-action@v5.5.1 From e013a4eb86b604e95829bc0d6193dff73d727e02 Mon Sep 17 00:00:00 2001 From: arnfinn Date: Mon, 7 Oct 2024 14:31:24 +0200 Subject: [PATCH 07/12] logout: false --- .github/workflows/snyk.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index c25b9a5..f3abfde 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -37,6 +37,7 @@ jobs: registry: ${{ env.GITHUB_REGISTRY }} username: ${{ github.actor }} password: ${{ github.token }} + logout: false - name: Prepare tags id: docker_meta uses: docker/metadata-action@v5.5.1 From 17fd84206d34c77dbb195e4ac90c84db0c08dba0 Mon Sep 17 00:00:00 2001 From: arnfinn Date: Mon, 7 Oct 2024 15:07:46 +0200 Subject: [PATCH 08/12] =?UTF-8?q?Pr=C3=B8v=20med=20ny=20token?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/snyk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index f3abfde..16c503c 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -36,7 +36,7 @@ jobs: with: registry: ${{ env.GITHUB_REGISTRY }} username: ${{ github.actor }} - password: ${{ github.token }} + password: ${{ secrets.GHCR_TOKEN }} logout: false - name: Prepare tags id: docker_meta From 55cac9d31383062b295451766c1dc8387ddbe96b Mon Sep 17 00:00:00 2001 From: arnfinn Date: Tue, 8 Oct 2024 09:18:56 +0200 Subject: [PATCH 09/12] Log out --- .github/workflows/snyk.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 16c503c..4d52ea8 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -59,6 +59,8 @@ jobs: tags: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} cache-from: type=gha cache-to: type=gha,mode=max + - name: Log out of the Container registry + run: docker logout ${{ env.GITHUB_REGISTRY }} - name: Run Snyk to check Docker image for vulnerabilities # Snyk can be used to break the build when it detects vulnerabilities. # In this case we want to upload the issues to GitHub Code Scanning From 7c4a291bb75bc0752153aacf2ff787df28f50a87 Mon Sep 17 00:00:00 2001 From: arnfinn Date: Tue, 8 Oct 2024 09:22:56 +0200 Subject: [PATCH 10/12] hardkodet url til image --- .github/workflows/snyk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 4d52ea8..7cff653 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -69,7 +69,7 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} + image: ghcr.io/rapporteket/base-r-alpine:pr-98 args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 From 1e5925f06edf64a2d54cc73a35d8c2b7d61c63d5 Mon Sep 17 00:00:00 2001 From: arnfinn Date: Tue, 8 Oct 2024 09:34:19 +0200 Subject: [PATCH 11/12] Dropp dytting til registry. Kun bygge lokalt --- .github/workflows/snyk.yml | 38 +++++--------------------------------- 1 file changed, 5 insertions(+), 33 deletions(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 7cff653..99f85ce 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -31,45 +31,17 @@ jobs: name: ${{ matrix.config.name }} steps: - uses: actions/checkout@v4 - - name: Log in to the Container registry 📦 - uses: docker/login-action@v3.3.0 - with: - registry: ${{ env.GITHUB_REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GHCR_TOKEN }} - logout: false - - name: Prepare tags - id: docker_meta - uses: docker/metadata-action@v5.5.1 - with: - images: rapporteket/${{ matrix.config.name }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=schedule,pattern=weekly - type=semver,pattern={{version}} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.6.1 - name: Build docker image - uses: docker/build-push-action@v6.9.0 - with: - context: ./${{ matrix.config.name }}/. - file: ./${{ matrix.config.name }}/Dockerfile - push: true - tags: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} - cache-from: type=gha - cache-to: type=gha,mode=max - - name: Log out of the Container registry - run: docker logout ${{ env.GITHUB_REGISTRY }} + run: docker build -t your/image-to-test -f ./${{ matrix.config.name }}/Dockerfile ./${{ matrix.config.name }} - name: Run Snyk to check Docker image for vulnerabilities # Snyk can be used to break the build when it detects vulnerabilities. # In this case we want to upload the issues to GitHub Code Scanning - continue-on-error: true + continue-on-error: false uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: ghcr.io/rapporteket/base-r-alpine:pr-98 + image: your/image-to-test args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 @@ -82,7 +54,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: command: monitor - image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} + image: your/image-to-test args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical --org=b034af62-43be-40c7-95e8-fdc56d6f3092 - name: Accept only vulnerability levels below critical continue-on-error: false @@ -90,5 +62,5 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} + image: your/image-to-test args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical From 58b2df5f6a34a01d5b4dd24f11ca6948eeb72eed Mon Sep 17 00:00:00 2001 From: arnfinn Date: Tue, 8 Oct 2024 09:51:57 +0200 Subject: [PATCH 12/12] opprydning --- .github/workflows/snyk.yml | 30 +++++++++--------------------- 1 file changed, 9 insertions(+), 21 deletions(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 99f85ce..3aa0df6 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -4,45 +4,33 @@ on: push: branches: [ "main" ] pull_request: - # The branches below must be a subset of the branches above branches: [ "main" ] schedule: - cron: '30 22 * * 5' -permissions: - contents: read - packages: write - jobs: snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest - env: - GITHUB_REGISTRY: ghcr.io strategy: fail-fast: false matrix: config: - {name: base-r} - - {name: base-r-alpine} name: ${{ matrix.config.name }} steps: - uses: actions/checkout@v4 - name: Build docker image - run: docker build -t your/image-to-test -f ./${{ matrix.config.name }}/Dockerfile ./${{ matrix.config.name }} + run: docker build -t ${{ matrix.config.name }} -f ./${{ matrix.config.name }}/Dockerfile ./${{ matrix.config.name }} - name: Run Snyk to check Docker image for vulnerabilities # Snyk can be used to break the build when it detects vulnerabilities. # In this case we want to upload the issues to GitHub Code Scanning - continue-on-error: false + continue-on-error: true uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: your/image-to-test - args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical + image: ${{ matrix.config.name }} + args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=high - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: @@ -54,13 +42,13 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: command: monitor - image: your/image-to-test - args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical --org=b034af62-43be-40c7-95e8-fdc56d6f3092 - - name: Accept only vulnerability levels below critical + image: ${{ matrix.config.name }} + args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=high --org=b034af62-43be-40c7-95e8-fdc56d6f3092 + - name: Accept only vulnerability levels below high continue-on-error: false uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: your/image-to-test - args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical + image: ${{ matrix.config.name }} + args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=high