diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 0000000..f14e28e --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,121 @@ +--- +name: main + +on: + push: + pull_request: + workflow_dispatch: + +defaults: + run: + shell: bash + +env: + HADOLINT_IMAGE: "ghcr.io/hadolint/hadolint:latest" + TRIVY_IMAGE: "ghcr.io/aquasecurity/trivy:latest" + +jobs: + build: + runs-on: ubuntu-22.04 + permissions: + security-events: write + # only required for workflows in private repositories + # actions: read + # contents: read + steps: + - name: Checkout repo + uses: actions/checkout@v4 + - name: Pull images + run: | + docker pull "${HADOLINT_IMAGE}" + docker pull "${TRIVY_IMAGE}" + - name: Run Trivy - Dockerfile check + run: | + config="trivy-configs/dockerfile.yaml" + if [ ! -f "./${config}" ]; then + echo "Error: Missing ./configs/${config}" + exit 1 + fi + docker run \ + --rm \ + -v $HOME/.cache/trivy:/root/.cache \ + -v "$(pwd)":/repo \ + "${TRIVY_IMAGE}" \ + config \ + --config "/repo/${config}" \ + /repo/Dockerfile + - name: Run hadolint + run: | + docker run \ + --rm \ + -i \ + -v "$(pwd)":/repo \ + "${HADOLINT_IMAGE}" \ + hadolint \ + --config /repo/hadolint.yaml \ + - < Dockerfile + - name: Build Docker image + run: | + img="ghcr.io/${{ github.repository }}" + version="$(grep _VERSION= Dockerfile | cut -d'"' -f2)" + image_revision="$(grep _IMAGE_REVISION= Dockerfile | cut -d'"' -f2)" + tag="${version}-${image_revision}" + build_ctx=$(mktemp -d) + cp -t "${build_ctx}" script.py + docker build -f Dockerfile --tag "${img}:${tag}" --tag "${img}:latest" "${build_ctx}" + echo "img=${img}" >> "${GITHUB_ENV}" + echo "tag=${tag}" >> "${GITHUB_ENV}" + - name: Run Trivy - image scan + run: | + reports_dir=$(mktemp -d) + docker inspect --format="{{index .Id}}" "${img}:${tag}" > "${reports_dir}/image-id.txt" + + config="trivy-configs/image-scan.yaml" + if [ ! -f "./${config}" ]; then + echo "Error: Missing ./configs/${config}" + exit 1 + fi + + # Generate SARIF report for GitHub Security + docker run \ + --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v $HOME/.cache/trivy:/root/.cache \ + -v "${reports_dir}":/reports \ + -v "$(pwd)":/repo \ + "${TRIVY_IMAGE}" \ + image \ + --config "/repo/${config}" \ + --format sarif \ + --output /reports/image-scan.sarif \ + "${img}:${tag}" + + # Generate SBOM + docker run \ + --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v $HOME/.cache/trivy:/root/.cache \ + -v "${reports_dir}":/reports \ + -v $(pwd):/repo \ + "${TRIVY_IMAGE}" \ + image \ + --config "/repo/${config}" \ + --format cyclonedx \ + --output /reports/trivy-sbom.json \ + "${img}:${tag}" + echo "reports_dir=${reports_dir}" >> "$GITHUB_ENV" + - name: Upload artifacts to GHA + uses: actions/upload-artifact@v4 + with: + name: 'trivy-reports' + path: '${{ env.reports_dir }}/' + # - name: Upload SARIF report + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: '${{ env.reports_dir }}/image-scan.sarif' + # token: "${{ secrets.GITHUB_TOKEN }}" + # - name: push image + # run: | + # echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin + # docker push "$img:$tag" + # docker push "$img:latest" diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..1d380f1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,26 @@ +FROM debian:12-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 + +ARG PACKAGE_VERSION="1.2.3" +ARG PACKAGE_IMAGE_REVISION="1" + +RUN : \ + && apt-get update -qq \ + && DEBIAN_FRONTEND=noninteractive apt-get upgrade -qq -y --no-install-recommends \ + && DEBIAN_FRONTEND=noninteractive apt-get install \ + -qq -y --no-install-recommends \ + ca-certificates \ + curl \ + python3 \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ + && : + +RUN mkdir /safe_data /safe_outputs /scratch + +WORKDIR /src +COPY script.py script.py + +RUN groupadd --system nonroot && useradd --no-log-init --system --gid nonroot nonroot +USER nonroot + +ENTRYPOINT ["python3", "script.py"] diff --git a/hadolint.yaml b/hadolint.yaml new file mode 100644 index 0000000..a6d3f21 --- /dev/null +++ b/hadolint.yaml @@ -0,0 +1,3 @@ +ignored: + # Ignore "Pin versions in apt get install" + - DL3008 diff --git a/script.py b/script.py new file mode 100644 index 0000000..ed09bce --- /dev/null +++ b/script.py @@ -0,0 +1,6 @@ +def main() -> int: + print("Hello, world!") + return 0 + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/trivy-configs/dockerfile.yaml b/trivy-configs/dockerfile.yaml new file mode 100644 index 0000000..d693d5c --- /dev/null +++ b/trivy-configs/dockerfile.yaml @@ -0,0 +1,10 @@ +--- +misconfiguration: + check-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0 + scanners: + - dockerfile +severity: + - MEDIUM + - HIGH + - CRITICAL +exit-code: 1 diff --git a/trivy-configs/image-scan.yaml b/trivy-configs/image-scan.yaml new file mode 100644 index 0000000..5596438 --- /dev/null +++ b/trivy-configs/image-scan.yaml @@ -0,0 +1,13 @@ +--- +scan: + scanners: + - vuln + - secret +severity: + - UNKNOWN + - LOW + - MEDIUM + - HIGH + - CRITICAL +include-non-failures: true +timeout: 30m