ci(security): Automatically scan container images (#2242)

* ci(security): Automatically scan container images Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> * Fix bad image Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> * Add resource discovery Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> * build-args -> build-arg Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> * Bump to fix vulernabilities Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> * Try template Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> * Folders are not supported Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> * Fix wrong parameter name Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> * Remove duplication Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com> --------- Signed-off-by: Tom Kerkhove <kerkhove.tom@gmail.com>
tomkerkhove · Feb 26, 2023 · 7aa1818 · 7aa1818
1 parent e0bb9f3
commit 7aa1818
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 0 deletions.
diff --git a/.github/workflows/ci-container.yml b/.github/workflows/ci-container.yml
@@ -0,0 +1,22 @@
+name: CI - Container
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+    - .github/workflows/ci-container.yml
+    - src/**
+
+jobs:
+  scan_scaper:
+    name: Scan Scraper Agent
+    uses: ./.github/workflows/templates-scan-image.yml
+    with:
+      image_name: local/scraper:${{ github.sha }}
+      project_name: Promitor.Agents.Scraper
+  scan_resource_discovery:
+    name: Scan Resource Discovery Agent
+    uses: ./.github/workflows/templates-scan-image.yml
+    with:
+      image_name: local/resource-discovery:${{ github.sha }}
+      project_name: Promitor.Agents.ResourceDiscovery
diff --git a/.github/workflows/templates-scan-image.yml b/.github/workflows/templates-scan-image.yml
@@ -0,0 +1,34 @@
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      project_name:
+        required: true
+        type: string
+
+jobs:
+  scan:
+    name: Scan Image
+    runs-on: ubuntu-latest
+    steps:
+        # Checkout code
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build ./src/ --file ./src/${{ inputs.project_name }}/Dockerfile.linux --build-arg VERSION="1.2.3" -t ${{ inputs.image_name }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: '${{ inputs.image_name }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/changelog/content/experimental/unreleased.md b/changelog/content/experimental/unreleased.md
@@ -11,10 +11,12 @@ version:
 - {{% tag added %}} Provide Azure Log Analytics scraper ([docs](https://docs.promitor.io/v2.9/scraping/providers/log-analytics/)
 | [#2132](https://github.com/tomkerkhove/promitor/pull/2132))
 - {{% tag changed %}} Migrate to .NET 7
+- {{% tag added %}} Provide container vulnerability scanning in CI
 - {{% tag fixed %}} Fixed a bug where startup throws scheduling exception due to metric misconfiguration
 - {{% tag fixed %}} Fixed a bug where resource discovery for Azure Container Instances was not working
 - {{% tag fixed %}} Fixed a bug where Promitor was reported as `unknown_service:dotnet` job in OpenTelemetry Collector
 
 #### Resource Discovery
 
 - {{% tag added %}} Provide path to read app secret key from file
+- {{% tag added %}} Provide container vulnerability scanning in CI
diff --git a/src/Promitor.Agents.ResourceDiscovery/Promitor.Agents.ResourceDiscovery.csproj b/src/Promitor.Agents.ResourceDiscovery/Promitor.Agents.ResourceDiscovery.csproj
@@ -39,6 +39,8 @@
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.17.0" />
     <PackageReference Include="NetEscapades.Configuration.Yaml" Version="2.2.0" />
     <PackageReference Include="Polly" Version="7.2.3" />
+    <PackageReference Include="System.Security.Cryptography.Xml" Version="7.0.1" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/Promitor.Agents.Scraper/Promitor.Agents.Scraper.csproj b/src/Promitor.Agents.Scraper/Promitor.Agents.Scraper.csproj
@@ -40,6 +40,8 @@
     <PackageReference Include="CronExpressionDescriptor" Version="2.19.0" />
     <PackageReference Include="Microsoft.Azure.Kusto.Language" Version="11.2.2" />
     <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Security.Cryptography.Xml" Version="7.0.1" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
     <PackageReference Include="YamlDotNet" Version="13.0.1" />
   </ItemGroup>