Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: copa-action initial #1

Merged
Merged
Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
ec9a579
feat: copa-action initial
ashnamehrotra Jun 13, 2023
62c6c21
action.yaml initial
ashnamehrotra Jun 13, 2023
6363d4d
sonatype-lift changes
ashnamehrotra Jun 13, 2023
3db5135
change action versions to digests, use real docker test images, renam…
ashnamehrotra Jun 13, 2023
8da4d28
add buildkit version as param
ashnamehrotra Jun 13, 2023
9aecb5b
Dockerfile changes
ashnamehrotra Jun 13, 2023
033045a
change Docker install approach
ashnamehrotra Jun 14, 2023
6649a37
remove set output from readme
ashnamehrotra Jun 14, 2023
aa80612
docker login action digest
ashnamehrotra Jun 14, 2023
184ec31
use
ashnamehrotra Jun 22, 2023
efc888a
change checkout repository to copa-action in reference workflow
ashnamehrotra Jun 22, 2023
8a9f3b6
resolve sonatype-lift comments
ashnamehrotra Jun 22, 2023
dce247d
update version in readme
ashnamehrotra Jun 23, 2023
e28f627
create one layer with packages before copa in dockefile
ashnamehrotra Jun 27, 2023
0c8a9e8
resolve sonatype comments - remove wget and sudo
ashnamehrotra Jun 27, 2023
e938931
cleanup
ashnamehrotra Jul 10, 2023
aa072f7
add retry to curl commands
ashnamehrotra Jul 10, 2023
d0171ab
copa version as param
ashnamehrotra Jul 27, 2023
bce0766
0.3.0 as default copa version
ashnamehrotra Jul 27, 2023
f7f95a6
specify ./data..
ashnamehrotra Jul 27, 2023
f618232
add test
ashnamehrotra Jul 28, 2023
dda6c9c
change action to always use latest copa version
ashnamehrotra Jul 28, 2023
95e9bda
optional copa version
ashnamehrotra Jul 31, 2023
606dc88
use docker library nginx image in test
ashnamehrotra Jul 31, 2023
5b43215
remove test dependencies, only use assert_equal
ashnamehrotra Jul 31, 2023
c92afc1
ci for bats test
ashnamehrotra Jul 31, 2023
d1770cf
run bats in test dir
ashnamehrotra Jul 31, 2023
19401a3
chmod +x entrypoint.sh
ashnamehrotra Jul 31, 2023
052b7d7
fix paths in bats
ashnamehrotra Jul 31, 2023
e141358
change order actual vs expected
ashnamehrotra Jul 31, 2023
403b3b6
debug bats in build ci
ashnamehrotra Jul 31, 2023
63b002b
load image, run docker images
ashnamehrotra Jul 31, 2023
2a7ac85
pull nginx image in workflow
ashnamehrotra Jul 31, 2023
acbcffd
debug output
ashnamehrotra Jul 31, 2023
c992d2c
run entrypoint in separate test
ashnamehrotra Aug 1, 2023
4e483be
change data files to use whole image name
ashnamehrotra Aug 1, 2023
08b644f
change output vars
ashnamehrotra Aug 1, 2023
a710e45
check for file
ashnamehrotra Aug 1, 2023
87751c5
use ubuntu-latest
ashnamehrotra Aug 1, 2023
a88c974
delete .gitmodules
ashnamehrotra Aug 1, 2023
fd8ce84
actions/checkout v3.5.3
ashnamehrotra Aug 1, 2023
71ba4a1
change permission to read-all
ashnamehrotra Aug 1, 2023
42e2ccc
install trivy binary
ashnamehrotra Aug 1, 2023
d0e0b3a
test with assert_success
ashnamehrotra Aug 1, 2023
9ba67f5
run buildkitd with host network
ashnamehrotra Aug 1, 2023
896a2b6
cleanup and test
ashnamehrotra Aug 3, 2023
3d97522
debugging
ashnamehrotra Aug 3, 2023
b9cf670
debugging - move setup code to ci
ashnamehrotra Aug 3, 2023
d339ff3
check for patched image
ashnamehrotra Aug 3, 2023
f2fc1e2
fix patched tag
ashnamehrotra Aug 3, 2023
7ba72ab
modify to check patched image exists and run trivy
ashnamehrotra Aug 3, 2023
51f48bf
change to check for vulns
ashnamehrotra Aug 4, 2023
1297a8a
check image exists in bats
ashnamehrotra Aug 4, 2023
ea9ba0d
buildkit version env var
ashnamehrotra Aug 4, 2023
236dd9b
new tag instead of appending
ashnamehrotra Aug 4, 2023
b349144
remove debugging
ashnamehrotra Aug 4, 2023
de6bcb8
update documentation
ashnamehrotra Aug 4, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
FROM debian:12-slim

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

# Copies your code file from your action repository to the filesystem path `/` of the container
COPY entrypoint.sh /entrypoint.sh

# Copy all trivy report data
COPY *.json /data/

# Mount data volume
VOLUME /data

# Install required packages
RUN apt-get update && \
ashnamehrotra marked this conversation as resolved.
Show resolved Hide resolved
ashnamehrotra marked this conversation as resolved.
Show resolved Hide resolved
ashnamehrotra marked this conversation as resolved.
Show resolved Hide resolved
ashnamehrotra marked this conversation as resolved.
Show resolved Hide resolved
ashnamehrotra marked this conversation as resolved.
Show resolved Hide resolved
apt-get install -y wget tar sudo ca-certificates gnupg curl --no-install-recommends && \
# Import Docker GPG key
sudo install -m 0755 -d /etc/apt/keyrings && \
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
sudo chmod a+r /etc/apt/keyrings/docker.gpg && \
# Add the Docker repository with the correct key ID
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && \
# Install Docker
apt-get update && \
apt-get install -y docker-ce docker-ce-cli containerd.io --no-install-recommends

# Install Copa
RUN wget -q https://github.com/project-copacetic/copacetic/releases/download/v0.2.0/copa_0.2.0_linux_amd64.tar.gz && \
sozercan marked this conversation as resolved.
Show resolved Hide resolved
sozercan marked this conversation as resolved.
Show resolved Hide resolved
ashnamehrotra marked this conversation as resolved.
Show resolved Hide resolved
tar -zxvf copa_0.2.0_linux_amd64.tar.gz && \
cp copa /usr/local/bin/

# Code file to execute when the docker container starts up (`entrypoint.sh`)
ENTRYPOINT ["/entrypoint.sh"]
91 changes: 90 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1 +1,90 @@
# copa-action
# Copa Action

This action patches vulnerable containers using [Copa](https://github.com/project-copacetic/copacetic).

## Inputs

## `image`

**Required** The image reference to patch.

## `image-report`

**Required** The trivy json vulnerability report of the image to patch.

## `patched-tag`

**Required** The patched image tag to append to the original tag.

## Output

## `patched-image`

Image reference of the resulting patched image.

## Example usage

```
on: [push]

jobs:
test:
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
# provide relevant list of images to scan on each run
images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'docker.io/library/hello-world:latest']

steps:
- name: Checkout repository
sozercan marked this conversation as resolved.
Show resolved Hide resolved
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v0.1.0
with:
repository: project-copacetic/copa-action
ref: main

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34

- name: Generate Trivy Report
uses: aquasecurity/trivy-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
with:
scan-type: 'image'
format: 'json'
output: 'report.json'
ignore-unfixed: true
vuln-type: 'os'
image-ref: ${{ matrix.images }}

- name: Check Vuln Count
id: vuln_cout
run: |
report_file="report.json"
vuln_count=$(jq '.Results | length' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT

- name: Copa Action
if: steps.vuln_cout.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/[email protected]
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: '-patched'
buildkit-version: 'v0.11.6'

- name: Login to Docker Hub
if: steps.copa.conclusion == 'success'
id: login
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
with:
username: 'user'
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Docker Push Patched Image
if: steps.login.conclusion == 'success'
run: |
docker push ${{ steps.copa.outputs.patched-image }}
sozercan marked this conversation as resolved.
Show resolved Hide resolved

```
34 changes: 34 additions & 0 deletions action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: 'Copa Action'
description: 'Patch Vulnerable Images'
inputs:
image:
description: 'The image reference to patch'
required: true
image-report:
description: 'The trivy json report of the image to patch'
required: true
patched-tag:
description: 'The patched image tag to append to the original tag'
required: true
buildkit-version:
description: "Buildkit version to use with Copa"
outputs:
patched-image:
description: 'Image reference of patched image'
value: ${{ steps.copa-action.outputs.patched-image }}
runs:
using: "composite"
steps:
- name: docker build copa-action
shell: bash
run: |
docker build -t copa-action .
- name: docker run buildkitd
shell: bash
run: |
docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:${{ inputs.buildkit-version }} --addr tcp://0.0.0.0:8888
- name: docker run copa-action
id: copa-action
shell: bash
run : |
docker run --net=host --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action copa-action ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} tcp://0.0.0.0:8888
23 changes: 23 additions & 0 deletions entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/bin/sh
sozercan marked this conversation as resolved.
Show resolved Hide resolved

image=$1
report=$2
patched_tag=$3

# parse image into image name and image tag
image_no_tag=$(echo "$image" | cut -d':' -f1)
old_tag=$(echo "$image" | cut -d':' -f2)

# new patched image tag
new_tag="$old_tag$patched_tag"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think about just specifying a new tag instead of appending? this way user can specify anything


# run copa to patch image
if copa patch -i "$image" -r /data/"$report" -t "$new_tag" --addr tcp://0.0.0.0:8888;
then
patched_image="$image_no_tag:$new_tag"
# echo "::set-output name=patched-image::$patched_image"
ashnamehrotra marked this conversation as resolved.
Show resolved Hide resolved
echo "patched-image=$patched_image" >> "$GITHUB_OUTPUT"
else
echo "Error patching image $image with copa"
exit 1
fi