Scan Docker images #570
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Snyk scanning steps are marked continue-on-error because there are often | |
# vulnerabilities that may have no possible remediation (e.g. glibc | |
# vulnerabilities in the Debian base). We want to be *informed* about the | |
# vulns, but we cannot have them be blockers to releasing images. | |
name: Scan Docker images | |
on: | |
workflow_dispatch: {} | |
schedule: | |
- cron: "0 0 * * *" | |
env: | |
DOCKER_ORG: pulumi | |
DISPATCH_REF: ${{ github.event.client_payload.ref }} | |
jobs: | |
kitchen-sink: | |
name: All SDKs images | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
suffix: ["", "-nonroot"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Free Disk Space (Ubuntu) | |
uses: jlumbroso/free-disk-space@main | |
with: | |
tool-cache: false | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 | |
args: --severity-threshold=high --file=docker/pulumi/Dockerfile | |
- name: Filter Sarif File | |
# GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. | |
run: | | |
python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: out.sarif | |
provider-build-environment: | |
name: Provider Build Environment | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@master | |
- name: Free Disk Space (Ubuntu) | |
uses: jlumbroso/free-disk-space@main | |
with: | |
tool-cache: false | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-amd64 | |
args: --severity-threshold=high --file=docker/pulumi/Dockerfile | |
- name: Filter Sarif File | |
# GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. | |
run: | | |
python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: out.sarif | |
base: | |
name: Base image | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
os: ["debian", "ubi"] | |
arch: ["arm64", "amd64"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }}-${{ matrix.arch }} | |
args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }} --platform=linux/${{ matrix.arch }} | |
- name: Filter Sarif File | |
# GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. | |
run: | | |
python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: snyk.sarif | |
define-debian-matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.define-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@master | |
- name: Define Matrix | |
id: define-matrix | |
run: | | |
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT" | |
debian-sdk: | |
name: Debian SDK images | |
runs-on: ubuntu-latest | |
needs: define-debian-matrix | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.define-debian-matrix.outputs.matrix) }} | |
steps: | |
- uses: actions/checkout@master | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Set image name | |
run: | | |
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.IMAGE_NAME }} | |
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/${{ matrix.arch }} | |
- name: Filter Sarif File | |
# GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. | |
run: | | |
python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: snyk.sarif | |
ubi-sdk: | |
name: UBI SDK images | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
sdk: ["nodejs", "python", "dotnet", "go"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi | |
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi --platform=linux/amd64 | |
- name: Filter Sarif File | |
# GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit. | |
run: | | |
python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))' | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: snyk.sarif |