From 022bfdf5f57901a01a59101d8723f013cf1b43be Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Tue, 23 Jul 2024 15:16:40 +0200 Subject: [PATCH] ci: scan images with docker scout Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/buildkit.yml | 33 +++++++++++++++++++++++++++++++++ .github/workflows/frontend.yml | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml index 3717ee85f07b..b7966f5e438d 100644 --- a/.github/workflows/buildkit.yml +++ b/.github/workflows/buildkit.yml @@ -24,6 +24,7 @@ env: GO_VERSION: "1.22" SETUP_BUILDX_VERSION: "latest" SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest" + SCOUT_VERSION: "1.11.0" IMAGE_NAME: "moby/buildkit" PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm64,linux/s390x,linux/ppc64le,linux/riscv64" DESTDIR: "./bin" @@ -189,6 +190,38 @@ jobs: CACHE_TO: type=gha,scope=image${{ matrix.target-stage }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + scout: + runs-on: ubuntu-24.04 + if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }} + permissions: + # required to write sarif report + security-events: write + needs: + - image + steps: + - + name: Checkout + uses: actions/checkout@v4 + - + name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - + name: Scout + id: scout + uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4 + with: + version: ${{ env.SCOUT_VERSION }} + format: sarif + image: registry://${{ env.IMAGE_NAME }}:master + - + name: Upload SARIF report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scout.outputs.result-file }} + release: runs-on: ubuntu-24.04 needs: diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index cbe7d48036dd..25c98e8c90e8 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -22,6 +22,7 @@ env: GO_VERSION: "1.22" SETUP_BUILDX_VERSION: "latest" SETUP_BUILDKIT_TAG: "moby/buildkit:latest" + SCOUT_VERSION: "1.11.0" IMAGE_NAME: "docker/dockerfile-upstream" PLATFORMS: "linux/386,linux/amd64,linux/arm/v7,linux/arm64,linux/mips,linux/mipsle,linux/mips64,linux/mips64le,linux/s390x,linux/ppc64le,linux/riscv64" @@ -125,6 +126,38 @@ jobs: CACHE_TO: type=gha,scope=${{ env.CACHE_SCOPE }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + scout: + runs-on: ubuntu-24.04 + if: ${{ github.ref == 'refs/heads/master' && github.repository == 'moby/buildkit' }} + permissions: + # required to write sarif report + security-events: write + needs: + - image + steps: + - + name: Checkout + uses: actions/checkout@v4 + - + name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - + name: Scout + id: scout + uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4 + with: + version: ${{ env.SCOUT_VERSION }} + format: sarif + image: registry://${{ env.IMAGE_NAME }}:master + - + name: Upload SARIF report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scout.outputs.result-file }} + release: runs-on: ubuntu-24.04 if: startsWith(github.ref, 'refs/tags/dockerfile')