From 01f55e2b773be9613fd17dea3fe0af128c5a84dc Mon Sep 17 00:00:00 2001 From: David Rochow Date: Tue, 13 Aug 2024 13:40:57 +0200 Subject: [PATCH] build(images) : building and publishing of images (#136) * build(images): added automatic building and publishing of images on ghcr.io * Automatic application of license header * build(images): temporary activate for pushes to helm-chart to verify functioning * build(images): removed trigger on helm-charts branch push * build(images): bump golang version --------- Co-authored-by: License Bot --- .github/workflows/build_images.yaml | 172 ++++++++++++++++++++++++++++ Dockerfile.scanner-k8s-assets | 14 +++ Dockerfile.scanner-keppel | 16 +++ Dockerfile.scanner-nvd | 15 +++ Makefile | 11 ++ go.mod | 2 +- scanner/k8s-assets/go.mod | 3 + scanner/k8s-assets/main.go | 12 ++ scanner/keppel/go.mod | 3 + scanner/keppel/main.go | 12 ++ scanner/nvd/go.mod | 3 + scanner/nvd/main.go | 12 ++ 12 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/build_images.yaml create mode 100644 Dockerfile.scanner-k8s-assets create mode 100644 Dockerfile.scanner-keppel create mode 100644 Dockerfile.scanner-nvd create mode 100644 scanner/k8s-assets/go.mod create mode 100644 scanner/k8s-assets/main.go create mode 100644 scanner/keppel/go.mod create mode 100644 scanner/keppel/main.go create mode 100644 scanner/nvd/go.mod create mode 100644 scanner/nvd/main.go diff --git a/.github/workflows/build_images.yaml b/.github/workflows/build_images.yaml new file mode 100644 index 00000000..f3772901 --- /dev/null +++ b/.github/workflows/build_images.yaml @@ -0,0 +1,172 @@ +name: Build Docker images and push to registry + +on: + workflow_dispatch: {} + push: + branches: + - main + paths: + - cmd/** + - scanner/** + - internal/** + - pkg/** + - Dockerfile + - Dockerfile.* + - go.mod + - go.sum + tags: + - v*.*.* + +env: + REGISTRY: ghcr.io + +jobs: + build: + name: Build + runs-on: [ default ] + continue-on-error: true + strategy: + fail-fast: false + max-parallel: 6 + matrix: + include: + - Dockerfiles: Dockerfile + Imagename: heureka + - Dockerfiles: Dockerfile.scanner-nvd + Imagename: heureka-scanner-nvd + - Dockerfiles: Dockerfile.scanner-k8s-assets + Imagename: heureka-scanner-k8s-assets + - Dockerfiles: Dockerfile.scanner-keppel + Imagename: heureka-scanner-keppel + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@v3.5.0 + with: + cosign-release: 'v2.2.3' + + # Set up QEMU for cross-platform builds + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 # v3.0.0 + with: + driver-opts: | + image=moby/buildkit:latest + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.Imagename }} + tags: | + type=semver,pattern={{version}},prefix=v + type=semver,pattern={{major}}.{{minor}},prefix=v + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }},prefix=v + type=ref,event=branch + type=ref,event=tag + type=ref,event=pr + type=schedule + type=raw,value=${{ github.sha }} + type=sha,enable=true,format=short,prefix= + type=edge,branch=master + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v6 + with: + context: . + file: ${{ matrix.Dockerfiles }} + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + # cache-from: type=gha + # cache-to: type=gha,mode=max + platforms: | + linux/amd64 + # linux/arm64 + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + vulnerability-scan: + permissions: + contents: read + packages: read + security-events: write + strategy: + fail-fast: false + max-parallel: 6 + matrix: + include: + - Dockerfiles: Dockerfile + Imagename: heureka + - Dockerfiles: Dockerfile.scanner-nvd + Imagename: heureka-scanner-nvd + - Dockerfiles: Dockerfile.scanner-k8s-assets + Imagename: heureka-scanner-k8s-assets + - Dockerfiles: Dockerfile.scanner-keppel + Imagename: heureka-scanner-keppel + + name: Vulnerability Scan + needs: build + runs-on: [ default ] + steps: + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + if: success() + with: + image-ref: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.Imagename }}:${{ github.sha }} + ignore-unfixed: true + exit-code: '1' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-results.sarif \ No newline at end of file diff --git a/Dockerfile.scanner-k8s-assets b/Dockerfile.scanner-k8s-assets new file mode 100644 index 00000000..841393c9 --- /dev/null +++ b/Dockerfile.scanner-k8s-assets @@ -0,0 +1,14 @@ +FROM golang:1.22.6 AS builder + +WORKDIR /go/src/github.com/cloudoperators/heureka +ADD . . +RUN CGO_ENABLED=0 go build -o /go/bin/heureka-scanner-k8s-assets scanner/k8s-assets/main.go + +FROM gcr.io/distroless/static-debian12:nonroot + +LABEL source_repository="https://github.com/cloudoperators/heureka" +LABEL source_folder="scanner/k8s-assets" +USER nonroot:nonroot + +COPY --from=builder /go/bin/heureka-scanner-k8s-assets / +ENTRYPOINT ["/heureka-scanner-k8s-assets"] diff --git a/Dockerfile.scanner-keppel b/Dockerfile.scanner-keppel new file mode 100644 index 00000000..65b5842b --- /dev/null +++ b/Dockerfile.scanner-keppel @@ -0,0 +1,16 @@ +FROM golang:1.22.6 AS builder + +WORKDIR /go/src/github.com/cloudoperators/heureka/scanner/keppel + +# Uncomment when scanner is available +ADD scanner/keppel . +RUN CGO_ENABLED=0 go build -o /go/bin/heureka-scanner-keppel main.go + +FROM gcr.io/distroless/static-debian12:nonroot + +LABEL source_repository="https://github.com/cloudoperators/heureka" +USER nonroot:nonroot + +# Uncomment when scanner is available +COPY --from=builder /go/bin/heureka-scanner-keppel /heureka-scanner-keppel +ENTRYPOINT ["/heureka-scanner-keppel"] diff --git a/Dockerfile.scanner-nvd b/Dockerfile.scanner-nvd new file mode 100644 index 00000000..3c05768a --- /dev/null +++ b/Dockerfile.scanner-nvd @@ -0,0 +1,15 @@ +FROM golang:1.22.6 AS builder + +WORKDIR /go/src/github.com/cloudoperators/heureka + +ADD . . +RUN CGO_ENABLED=0 go build -o /go/bin/heureka-scanner-nvd scanner/nvd/main.go + +FROM gcr.io/distroless/static-debian12:nonroot + +LABEL source_repository="https://github.com/cloudoperators/heureka" +LABEL source_folder="scanner/nvd" +USER nonroot:nonroot + +COPY --from=builder /go/bin/heureka-scanner-nvd / +ENTRYPOINT ["/heureka-scanner-nvd"] diff --git a/Makefile b/Makefile index 6092166d..3d957f40 100644 --- a/Makefile +++ b/Makefile @@ -41,6 +41,17 @@ echo: build-image: docker buildx build -t $(SERVER_IMAGE):$(VERSION) -t $(SERVER_IMAGE):latest . --load +build-scanner-images: build-scanner-k8s-assets-image build-scanner-keppel build-scanner-nvd + +build-scanner-k8s-assets-image: + docker buildx build -t $(SERVER_IMAGE)-scanner-k8s-assets:$(VERSION) -t $(SERVER_IMAGE)-scanner-k8s-assets:latest -f Dockerfile.scanner-k8s-assets . --load + +build-scanner-keppel: + docker buildx build -t $(SERVER_IMAGE)-scanner-keppel:$(VERSION) -t $(SERVER_IMAGE)-scanner-keppel:latest -f Dockerfile.scanner-keppel . --load + +build-scanner-nvd: + docker buildx build -t $(SERVER_IMAGE)-scanner-nvd:$(VERSION) -t $(SERVER_IMAGE)-scanner-nvd:latest -f Dockerfile.scanner-nvd . --load + push: docker push $(SERVER_IMAGE):$(VERSION) docker push $(SERVER_IMAGE):latest diff --git a/go.mod b/go.mod index 5da28789..6bf8ebe1 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.wdf.sap.corp/cc/heureka -go 1.22.4 +go 1.22.6 require ( github.com/brianvoe/gofakeit/v7 v7.0.4 diff --git a/scanner/k8s-assets/go.mod b/scanner/k8s-assets/go.mod new file mode 100644 index 00000000..f50dba0c --- /dev/null +++ b/scanner/k8s-assets/go.mod @@ -0,0 +1,3 @@ +module github.com/cloudoperators/heureka/scanners/k8s-assets + +go 1.22.6 \ No newline at end of file diff --git a/scanner/k8s-assets/main.go b/scanner/k8s-assets/main.go new file mode 100644 index 00000000..929e04b1 --- /dev/null +++ b/scanner/k8s-assets/main.go @@ -0,0 +1,12 @@ +// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +// SPDX-License-Identifier: Apache-2.0 + +package main + +import ( + "fmt" +) + +func main() { + fmt.Println("This is the k8s asset scanner") +} diff --git a/scanner/keppel/go.mod b/scanner/keppel/go.mod new file mode 100644 index 00000000..9b8b884c --- /dev/null +++ b/scanner/keppel/go.mod @@ -0,0 +1,3 @@ +module github.com/cloudoperators/heureka/scanners/keppel + +go 1.22.6 \ No newline at end of file diff --git a/scanner/keppel/main.go b/scanner/keppel/main.go new file mode 100644 index 00000000..fc9c09cc --- /dev/null +++ b/scanner/keppel/main.go @@ -0,0 +1,12 @@ +// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +// SPDX-License-Identifier: Apache-2.0 + +package main + +import ( + "fmt" +) + +func main() { + fmt.Println("This is the Keppel scanner") +} diff --git a/scanner/nvd/go.mod b/scanner/nvd/go.mod new file mode 100644 index 00000000..30b42c19 --- /dev/null +++ b/scanner/nvd/go.mod @@ -0,0 +1,3 @@ +module github.com/cloudoperators/heureka/scanners/nvd + +go 1.22.6 \ No newline at end of file diff --git a/scanner/nvd/main.go b/scanner/nvd/main.go new file mode 100644 index 00000000..8761bd9b --- /dev/null +++ b/scanner/nvd/main.go @@ -0,0 +1,12 @@ +// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +// SPDX-License-Identifier: Apache-2.0 + +package main + +import ( + "fmt" +) + +func main() { + fmt.Println("This is the nvd scanner") +}