From 429325c82ce3dddfd703435c608b9156fbf437d9 Mon Sep 17 00:00:00 2001 From: LewisKSaint Date: Fri, 2 Feb 2024 20:39:41 +0100 Subject: [PATCH] Automated vulnerability scan with Prisma --- .../workflows/internal-release-candidate.yml | 19 +-- .github/workflows/vulncheck_periodic.yml | 121 ++++++++++++++++++ 2 files changed, 131 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/vulncheck_periodic.yml diff --git a/.github/workflows/internal-release-candidate.yml b/.github/workflows/internal-release-candidate.yml index d9e56f7..ea54884 100644 --- a/.github/workflows/internal-release-candidate.yml +++ b/.github/workflows/internal-release-candidate.yml @@ -13,6 +13,7 @@ jobs: contents: 'write' id-token: 'write' env: + IMAGE_NAME: pubsubplus-prometheus-exporter VAULT_ADDR: https://vault.maas-vault-prod.solace.cloud:8200 GCLOUD_PROJECT_ID_DEV: stellar-arcadia-205014 GCLOUD_PROJECT_ID_STAGING: gcp-maas-staging @@ -32,8 +33,8 @@ jobs: with: wssURL: https://saas.whitesourcesoftware.com/agent apiKey: ${{ secrets.WSS_API_KEY }} - productName: 'pubsubplus-prometheus-exporter' - projectName: 'pubsubplus-prometheus-exporter' + productName: '${{ env.IMAGE_NAME }}' + projectName: '${{ env.IMAGE_NAME }}' configFile: 'ci/whitesource/whitesource-agent.config' - name: Generate Third Party License @@ -55,7 +56,7 @@ jobs: with: context: ./ tags: | - ghcr.io/solacedev/pubsubplus-prometheus-exporter:${{ github.event.inputs.release_tag }} + ghcr.io/solacedev/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }} push: true @@ -99,13 +100,13 @@ jobs: with: context: ./ tags: | - gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/pubsubplus-prometheus-exporter:${{ github.event.inputs.release_tag }} + gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }} push: true - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: ghcr.io/solacedev/pubsubplus-prometheus-exporter:${{ github.event.inputs.release_tag }} + image-ref: ghcr.io/solacedev/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }} format: 'sarif' severity: 'CRITICAL,HIGH' output: 'trivy-results.sarif' @@ -120,10 +121,10 @@ jobs: - name: Run Prisma Vulnerability Checker Action uses: ./maas-build-actions/.github/actions/prisma-vulnerability-checker with: - docker_image_to_check: gcr.io/solacedev/pubsubplus-prometheus-exporter:${{ github.event.inputs.release_tag }} - prisma_repository_name: "${{ env.GCLOUD_PROJECT_ID_DEV }}/pubsubplus-prometheus-exporter" + docker_image_to_check: gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }} + prisma_repository_name: "${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}" project_squad: "mission-control" - prisma_jira_check: "True" + prisma_jira_check: "False" - name: Test image run: | @@ -132,7 +133,7 @@ jobs: chmod +x preflight-linux-amd64 popd export VERSION='${{ github.event.inputs.release_tag }}' - export CONTAINER_TO_TEST="ghcr.io/solacedev/pubsubplus-prometheus-exporter:$VERSION" + export CONTAINER_TO_TEST="ghcr.io/solacedev/${{ env.IMAGE_NAME }}:$VERSION" echo "Testing $CONTAINER_TO_TEST" /tmp/preflight-linux-amd64 check container $CONTAINER_TO_TEST --docker-config ~/.docker/config.json | grep "Preflight result: PASSED" || echo diff --git a/.github/workflows/vulncheck_periodic.yml b/.github/workflows/vulncheck_periodic.yml new file mode 100644 index 0000000..5e3f291 --- /dev/null +++ b/.github/workflows/vulncheck_periodic.yml @@ -0,0 +1,121 @@ +name: Vuln check +on: + schedule: + - cron: '0 */6 * * *' + +permissions: + contents: read + security-events: write + +jobs: + vuln-check: + runs-on: ubuntu-latest + permissions: + contents: 'write' + id-token: 'write' + env: + IMAGE_NAME: pubsubplus-prometheus-exporter + VERSION: v1.0.2-dev + VAULT_ADDR: https://vault.maas-vault-prod.solace.cloud:8200 + GCLOUD_PROJECT_ID_DEV: stellar-arcadia-205014 + GCLOUD_PROJECT_ID_STAGING: gcp-maas-staging + GCLOUD_PROJECT_ID_PROD: gcp-maas-prod + + steps: + - name: Set up Go + uses: actions/setup-go@v3 + with: + go-version: "1.20" + + - name: Check out code + uses: actions/checkout@v2 + + - name: Run Whitesource Action + uses: SolaceDev/Mend-Scan-GHA@v1.0.0 + with: + wssURL: https://saas.whitesourcesoftware.com/agent + apiKey: ${{ secrets.WSS_API_KEY }} + productName: '${{ env.IMAGE_NAME }}' + projectName: '${{ env.IMAGE_NAME }}' + configFile: 'ci/whitesource/whitesource-agent.config' + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v2 + + - name: Checkout SolaceDev/maas-build-actions + uses: actions/checkout@v2 + with: + repository: SolaceDev/maas-build-actions + ref: refs/heads/master + token: ${{ secrets.RELEASE_GITHUB_TOKEN }} + persist-credentials: false + path: maas-build-actions + + - name: Retrieve google container registry secrets + id: docker_registry_secrets + uses: hashicorp/vault-action@v2.5.0 + with: + url: "${{ env.VAULT_ADDR }}" + role: github-docker-secrets-read-role + method: jwt + path: jwt-github + jwtGithubAudience: https://github.com/SolaceDev + exportToken: true + secrets: | + secret/data/development/gcp-gcr GCP_SERVICE_ACCOUNT | GCP_DEV_SERVICE_ACCOUNT; + secret/data/staging/gcp-gcr GCP_SERVICE_ACCOUNT | GCP_STAGE_SERVICE_ACCOUNT; + secret/data/production/gcp-gcr GCP_SERVICE_ACCOUNT | GCP_PROD_SERVICE_ACCOUNT + + - name: Log in to gcr development docker registry + uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 + with: + registry: gcr.io + username: _json_key + password: ${{ steps.docker_registry_secrets.outputs.GCP_DEV_SERVICE_ACCOUNT }} + + - name: Build image and push Google Container Registry + uses: docker/build-push-action@v2 + with: + context: ./ + tags: | + gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }} + push: true + + - name: Run Prisma Vulnerability Checker Action + uses: ./maas-build-actions/.github/actions/prisma-vulnerability-checker + with: + docker_image_to_check: gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} + prisma_repository_name: "${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}" + project_squad: "mission-control" + prisma_jira_check: "False" + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/solacedev/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }} + format: 'sarif' + severity: 'CRITICAL,HIGH' + output: 'trivy-results.sarif' + + - name: Uploads Trivy Scan Reports + if: ${{ !startsWith(github.ref_name, '1.') }} + uses: actions/upload-artifact@v2 + with: + path: | + trivy-results.sarif + + - name: Login to Github Packages + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.RELEASE_GITHUB_TOKEN }} + + - name: Build image and push GitHub Container Registry + uses: docker/build-push-action@v2 + with: + context: ./ + tags: | + ghcr.io/solacedev/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }} + push: true