ci: scan images with docker scout #5184
Conversation
.github/workflows/buildkit.yml
Outdated
| @@ -189,6 +190,35 @@ jobs: | |||
| CACHE_TO: type=gha,scope=image${{ matrix.target-stage }} | |||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |||
|
|
|||
| scout: | |||
| runs-on: ubuntu-24.04 | |||
| if: ${{ github.ref == 'refs/heads/master' }} | |||
There was a problem hiding this comment.
we only want to scan when merged on default branch
There was a problem hiding this comment.
Do we need to cover maintenance branches as well (e.g., v0.16)
There was a problem hiding this comment.
Yes as follow-up if possible. I need to check how GitHub code scanning handles multiple refs within Security tab.
There was a problem hiding this comment.
Ok seems like when uploading the SARIF report, it generates a fingerprint based on checkout path: https://github.com/github/codeql-action/blob/f8e94f97750f67eb20315a4c8d9e085db128b221/src/upload-lib.ts#L569 but looks to be a dumb hash of directory: https://github.com/github/codeql-action/blob/f8e94f97750f67eb20315a4c8d9e085db128b221/src/fingerprints.ts#L176-L177
There was a problem hiding this comment.
@thompson-shaun Seems affected branches are correctly reported in security tab:
So I guess we could scan for release branches as follow-up.
| - | ||
| name: Login to DockerHub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| - | ||
| name: Scout |
There was a problem hiding this comment.
I would have liked to run scout on PR but docker login is required by the tool.
.github/workflows/buildkit.yml
Outdated
| - | ||
| name: Scout | ||
| id: scout | ||
| uses: crazy-max/.github/.github/actions/docker-scout@7ea918c968b43fbee013e94ef2dde3e76af5f5a1 |
There was a problem hiding this comment.
We are not using the official https://github.com/docker/scout-action for now as it takes at least one minute to fetch it because of the repo size: 5.7GB! https://api.github.com/repos/docker/scout-action (size: 5790458)
Binaries for each supported arch are in the working tree: https://github.com/docker/scout-action/tree/main/dist. Around 64MB each so ~384MB to be fetched for each run.
So for now I've created a composite action that downloads scout from https://hub.docker.com/r/docker/scout-cli for current platform. More info: https://github.com/crazy-max/.github/blob/main/.github/actions/docker-scout/action.yml
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Adds an extra job for buildkit and frontend workflows to scan images with Docker Scout to report vulnerabilities.
Runs
scout cvescommand and output a SARIF report that will be uploaded to GitHub Code scanning so we have these issues reported in the Security tab.Example can be seen here for
moby/buildkit:master: https://github.com/crazy-max/.github/security/code-scanning