feat: copa-action initial

.github/workflows/build.yaml

@@ -0,0 +1,50 @@
+name: "build"
+on: [push, pull_request]
+env:
+  TRIVY_VERSION: 0.44.0
+  COPA_VERSION: 0.3.0
+permissions: read-all
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup BATS
+        uses: mig4/setup-bats@v1
+        with:
+          bats-version: 1.7.0
+
+      - name: Check out code
+        uses: actions/[email protected]
+
+      - name: Install Trivy
+        run: |
+            curl -fsSL -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+            tar -zxvf trivy.tar.gz
+            cp trivy /usr/local/bin/
+
+      - name: Set up Docker
+        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34
+
+      - name: Pull docker.io/library/nginx:1.21.6
+        run: docker pull docker.io/library/nginx:1.21.6
+
+      - name: Install Copa
+        run: |
+            curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${{ env.COPA_VERSION }}/copa_${{ env.COPA_VERSION }}_linux_amd64.tar.gz
+            tar -zxvf copa.tar.gz 
+            cp copa /usr/local/bin/
+
+      - name: Bats Test
+        run: |
+          docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:v0.12.0 --addr tcp://0.0.0.0:8888
+          docker build --build-arg copa_version=${{ env.COPA_VERSION }} -t copa-action .
+          cd ${{ github.workspace }}/test
+          docker run --net=host \
+            --mount=type=bind,source=$(pwd)/data,target=/data \
+            --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
+            --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \
+            --name=copa-action \
+            copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '-patched'
+          docker images
+          bats --print-output-on-failure ./test.bats

Dockerfile

@@ -0,0 +1,31 @@
+FROM debian:12-slim
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Get copa_version arg
+ARG copa_version
+
+# Copies your code file from your action repository to the filesystem path `/` of the container
+COPY entrypoint.sh /entrypoint.sh 
+
+# Install required packages
+RUN apt-get update && \
+    apt-get install -y tar ca-certificates gnupg curl jq --no-install-recommends && \
+    # Import Docker GPG key
+    install -m 0755 -d /etc/apt/keyrings && \
+    curl --retry 5 -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
+    chmod a+r /etc/apt/keyrings/docker.gpg && \
+    # Add the Docker repository with the correct key ID
+    echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+    tee /etc/apt/sources.list.d/docker.list > /dev/null && \
+    # Install Docker
+    apt-get update && \
+    apt-get install -y docker-ce docker-ce-cli containerd.io --no-install-recommends
+
+# Install Copa
+RUN curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${copa_version}/copa_${copa_version}_linux_amd64.tar.gz && \
+    tar -zxvf copa.tar.gz && \
+    cp copa /usr/local/bin/
+
+# Code file to execute when the docker container starts up (`entrypoint.sh`)
+ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -1 +1,96 @@
-# copa-action
+# Copa Action
+
+This action patches vulnerable containers using [Copa](https://github.com/project-copacetic/copacetic).
+
+## Inputs
+
+## `image`
+
+**Required** The image reference to patch.
+
+## `image-report`
+
+**Required** The trivy json vulnerability report of the image to patch.
+
+## `patched-tag`
+
+**Required** The patched image tag to append to the original tag.
+
+## `copa-version`
+
+**Optional** The Copa version used in the action, default is latest.
+
+## Output
+
+## `patched-image`
+
+Image reference of the resulting patched image.
+
+## Example usage
+
+```
+on: [push]
+
+jobs:
+    test:
+        runs-on: ubuntu-latest
+
+        strategy:
+          fail-fast: false
+          matrix:
+            # provide relevant list of images to scan on each run
+            images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'docker.io/library/hello-world:latest']
+
+        steps:
+        - name: Checkout repository
+          uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v0.1.0
+          with:
+            repository: project-copacetic/copa-action
+            ref: main
+
+        - name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34
+
+        - name: Generate Trivy Report
+          uses: aquasecurity/trivy-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
+          with:
+            scan-type: 'image'
+            format: 'json'
+            output: 'report.json'
+            ignore-unfixed: true
+            vuln-type: 'os'
+            image-ref: ${{ matrix.images }}
+
+        - name: Check Vuln Count
+          id: vuln_cout
+          run: |
+            report_file="report.json"
+            vuln_count=$(jq '.Results | length' "$report_file")
+            echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
+
+        - name: Copa Action
+          if: steps.vuln_cout.outputs.vuln_count != '0'
+          id: copa
+          uses: project-copacetic/[email protected]
+          with:
+            image: ${{ matrix.images }}
+            image-report: 'report.json'
+            patched-tag: '-patched'
+            buildkit-version: 'v0.11.6'
+            # optional, default is latest
+            copa-version: '0.2.0'
+
+        - name: Login to Docker Hub
+          if: steps.copa.conclusion == 'success'
+          id: login
+          uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
+          with:
+            username: 'user'
+            password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+        - name: Docker Push Patched Image
+          if: steps.login.conclusion == 'success'
+          run: |
+            docker push ${{ steps.copa.outputs.patched-image }}
+
+```

action.yaml

@@ -0,0 +1,42 @@
+name: 'Copa Action'
+description: 'Patch Vulnerable Images'
+inputs:
+  image:
+    description: 'The image reference to patch'
+    required: true
+  image-report:
+    description: 'The trivy json report of the image to patch'
+    required: true
+  patched-tag:
+    description: 'The patched image tag to append to the original tag'
+    required: true
+  buildkit-version:
+    description: "Buildkit version to use with Copa"
+  copa-version:
+    description: "Copa version to use"
+outputs:
+  patched-image:
+    description: 'Image reference of patched image'
+    value: ${{ steps.copa-action.outputs.patched-image }}
+runs:
+  using: "composite"
+  steps: 
+    - name: docker build copa-action
+      shell: bash
+      run: |
+        if [ -z "${{ inputs.copa-version }}" ]; then
+          latest_tag=$(curl -s "https://api.github.com/repos/project-copacetic/copacetic/releases/latest" | jq -r '.tag_name')
+          latest_version="${latest:1}"
+        else
+          latest_version=${{ inputs.copa-version }}
+        fi
+        docker build --build-arg copa_version=${latest_version} -t copa-action .
+    - name: docker run buildkitd
+      shell: bash
+      run: |
+        docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:${{ inputs.buildkit-version }} --addr tcp://0.0.0.0:8888
+    - name: docker run copa-action
+      id: copa-action
+      shell: bash
+      run : |
+        docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action copa-action ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }}

entrypoint.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+image=$1
+report=$2
+patched_tag=$3
+
+# parse image into image name and image tag
+image_no_tag=$(echo "$image" | cut -d':' -f1)
+old_tag=$(echo "$image" | cut -d':' -f2)
+
+# new patched image tag
+new_tag="$old_tag$patched_tag"
+
+# run copa to patch image
+if copa patch -i "$image" -r ./data/"$report" -t "$new_tag" --addr tcp://0.0.0.0:8888;
+then
+    patched_image="$image_no_tag:$new_tag"
+    echo "patched-image=$patched_image" >> "$GITHUB_OUTPUT"
+else
+    echo "Error patching image $image with copa"
+    exit 1
+fi