Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/moviemaker93/demo-avellino-linux-day-2024
https://github.com/moviemaker93/demo-avellino-linux-day-2024
Last synced: 4 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/moviemaker93/demo-avellino-linux-day-2024
- Owner: MovieMaker93
- License: apache-2.0
- Created: 2024-10-15T10:40:44.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2024-10-23T22:13:46.000Z (23 days ago)
- Last Synced: 2024-10-24T10:32:51.028Z (23 days ago)
- Size: 130 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
Secure your Image with Trivy and Copacetic
Secure your Image
Ensuring that your base image is secure is crucial for minimizing the attack surface and addressing both existing and future OS vulnerabilities (CVEs). Instead of waiting for an upstream base image to be updated, you can take control by patching the image yourself with a new "Patched Layer."
Why should you patch the image yourself?
- Empowers DevSecOps Engineers to fix vulnerabilities in container images
- Reduces storage and transmission costs
- Avoids delays caused by waiting for upstream updates
- Simplifies the process, reducing complexity over full image rebuilds
## Table of Contents
- [Pipeline Architecture](#architecture)
- [Pipeline Steps](#steps)
Pipeline Architecture
The steps are:
- Run the github action (manually or by pushing on the repo)
- Pull OCI Images from registries
- Run the Trivy Scan for generating vulnerability report
- Patch the image with Copacetic
- Push the patched image to Github Registry
Pipeline Steps
## Trivy db cache
To speed up the pipeline and avoid rate limitations when using Trivy for scanning, a good practice is to cache the vulnerability database instead of downloading it every time. This can significantly improve performance and reliability during the scanning process.
```yaml
- id: trivy-db
name: Check trivy db sha
env:
GH_TOKEN: ${{ github.token }}
run: |
endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
headers='Accept: application/vnd.github+json'
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
echo "Trivy DB sha256:${sha}"
echo "sha=${sha}" >> $GITHUB_OUTPUT
```
It checks whether the current `sha` is the same of the remote one.
## Trivy scan for OS vulnerabilities
The second step is the Trivy scan for fixed vulnerabilites OS:
```yaml
- name: Generate Trivy Report
uses: aquasecurity/[email protected]
with:
scan-type: "image"
format: "json"
output: "report.json"
ignore-unfixed: true
vuln-type: "os"
image-ref: ${{ matrix.images }}
cache-dir: .trivy
```
The output from the Trivy scan is stored in a report.json file, which is used in subsequent steps to tally the actual number of vulnerabilities. This allows for easy tracking of potential security risks and helps in assessing the overall security posture of the scanned environment.
## Count and Display of vulnerabilites pre patched
```yaml
- name: Check vulnerability count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Display vulnerability count
run: |
echo "Vulnerability Count: ${{ steps.vuln_count.outputs.vuln_count }}"
```
## Copa action
This step is designed to address and fix the vulnerabilities identified during the Trivy scan:
```yaml
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/[email protected]
with:
image: ${{ matrix.images }}
image-report: "report.json"
patched-tag: ${{ env.PATCHED_TAG }}
output: openvex.json
```
It leverages the report.json as base for patching the vulns.
## Push the image to Github Registry
```yaml
- name: Login to GHCR
if: steps.copa.conclusion == 'success'
id: login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push patched image
if: steps.login.conclusion == 'success'
run: |
# retag if needed
docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/moviemaker93/demo-avellino-linux-day-2024/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }}
docker push ghcr.io/moviemaker93/demo-avellino-linux-day-2024/${{ env.IMAGE_NAME }}:${{env.PATCHED_TAG}}
```
## Scan the patched image
Final check to ensure that the vulns are corrected patched trough the copa action:
```yaml
- name: Pull patched image
if: steps.login.conclusion == 'success'
run: |
# retag if needed
docker pull ghcr.io/moviemaker93/demo-avellino-linux-day-2024/${{ env.IMAGE_NAME }}:${{env.PATCHED_TAG}}
- name: Generate Trivy Report for Patched
uses: aquasecurity/[email protected]
with:
scan-type: "image"
format: "json"
output: "report-patched.json"
ignore-unfixed: true
vuln-type: "os"
image-ref: "ghcr.io/moviemaker93/demo-avellino-linux-day-2024/${{ env.IMAGE_NAME }}:${{env.PATCHED_TAG}}"
- name: Check vulnerability count Patched
id: vuln_count_patched
run: |
report_file="report-patched.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count_patched=$vuln_count" >> $GITHUB_OUTPUT
- name: Display vulnerability count Patched
run: |
echo "Vulnerability Count: ${{ steps.vuln_count_patched.outputs.vuln_count_patched }}"
```