-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: scan images with docker scout #5184
Conversation
.github/workflows/buildkit.yml
Outdated
@@ -189,6 +190,35 @@ jobs: | |||
CACHE_TO: type=gha,scope=image${{ matrix.target-stage }} | |||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |||
|
|||
scout: | |||
runs-on: ubuntu-24.04 | |||
if: ${{ github.ref == 'refs/heads/master' }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we only want to scan when merged on default branch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to cover maintenance branches as well (e.g., v0.16
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes as follow-up if possible. I need to check how GitHub code scanning handles multiple refs within Security tab.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok seems like when uploading the SARIF report, it generates a fingerprint based on checkout path: https://github.com/github/codeql-action/blob/f8e94f97750f67eb20315a4c8d9e085db128b221/src/upload-lib.ts#L569 but looks to be a dumb hash of directory: https://github.com/github/codeql-action/blob/f8e94f97750f67eb20315a4c8d9e085db128b221/src/fingerprints.ts#L176-L177
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thompson-shaun Seems affected branches are correctly reported in security tab:
So I guess we could scan for release branches as follow-up.
- | ||
name: Login to DockerHub | ||
uses: docker/login-action@v3 | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
- | ||
name: Scout |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have liked to run scout on PR but docker login is required by the tool.
.github/workflows/buildkit.yml
Outdated
- | ||
name: Scout | ||
id: scout | ||
uses: crazy-max/.github/.github/actions/docker-scout@7ea918c968b43fbee013e94ef2dde3e76af5f5a1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are not using the official https://github.com/docker/scout-action for now as it takes at least one minute to fetch it because of the repo size: 5.7GB! https://api.github.com/repos/docker/scout-action (size: 5790458)
Binaries for each supported arch are in the working tree: https://github.com/docker/scout-action/tree/main/dist. Around 64MB each so ~384MB to be fetched for each run.
So for now I've created a composite action that downloads scout from https://hub.docker.com/r/docker/scout-cli for current platform. More info: https://github.com/crazy-max/.github/blob/main/.github/actions/docker-scout/action.yml
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Adds an extra job for buildkit and frontend workflows to scan images with Docker Scout to report vulnerabilities.
Runs
scout cves
command and output a SARIF report that will be uploaded to GitHub Code scanning so we have these issues reported in the Security tab.Example can be seen here for
moby/buildkit:master
: https://github.com/crazy-max/.github/security/code-scanning