project-copacetic
Add examples for scanning when using docker/setup-buildx-action
I am struggling to integrate copa-action with my current Workflow.
The workflow fails as I am trying to get copa to scan a local image, while it attempts to pull the image from a private registry where the workflow does not have access
#1 resolve image config for docker-image://xxxx.azurecr.io/testteam1/testapp1:05-06-2024.744
Error: failed to resolve source metadata for xxxx.azurecr.io/testteam1/testapp1:05-06-2024.744: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://xxxx.azurecr.io/oauth2/token?scope=repository%3Atestteam1%2Ftestapp1%3Apull&service=xxxx.azurecr.io: 403 Forbidden
I would appreciate ideas on how to fix this workflow while still using the docker/setup-buildx-action with the docker-container driver.
I set up with the following
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
id: buildx
with:
driver: docker-container # required for writing to github actions cache
# probably not the correct way to attempt to configure this..
buildkitd-config-inline: |
debug = true
[features]
containerd-snapshotter = true
- name: Build docker image using cache
uses: docker/build-push-action@v5
with:
cache-from: type=gha
cache-to: type=gha,mode=max #requires docker-container driver
outputs: type=docker,dest=./image.tar
(...)
Scan it with trivy this way
- name: Load container image to docker daemon
run: docker load -i ./image.tar
- name: Run Trivy vulnerability scanner for OS vulerabilities
if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true'}}"
uses: aquasecurity/[email protected]
with:
#input: ./image.tar
image-ref: "${{ steps.env.outputs.full-image-name-tagless }}:${{ steps.env.outputs.tag }}"
format: "json"
output: "report.json"
severity: ${{inputs.image-scan-severity}}
ignore-unfixed: true
scanners: "vuln"
vuln-type: "os"
# check whether there are any OS package vulnerabilities
- name: Check vulnerability count
if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true' }}"
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
echo "Vulnerability count: $vuln_count"
- name: Get socket path
if: steps.vuln_count.outputs.vuln_count != '0'
id: socket_path
run: |
url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
socket_path=$(echo "$url" | awk -F// '{print $2}')
echo "$socket_path"
echo "SOCKET=$socket_path" >> $GITHUB_ENV
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/copa-action@v1
with:
image: "${{ steps.env.outputs.full-image-name-tagless }}:${{ steps.env.outputs.tag }}"
image-report: "report.json"
patched-tag: "patched"
timeout: "5m" # optional, default is 5m
custom-socket: "${{ steps.socket_path.outputs.socket_path }}"
@audunsolemdal https://github.com/project-copacetic/copa-action?tab=readme-ov-file#option-2-connect-using-defaults-through-a-custom-socket has the details on how to set up containerd image store. If you are trying to patch a local image that's not pushed to a registry, you cannot do that with docker-container driver, it must be docker driver with containerd image store enabled.
Another example is here: https://github.com/sozercan/copa-test/blob/main/.github/workflows/patch-action-containerd.yaml
So I've noticed the images in the examples are all pre-built. I am trying to first build my own image before running trivy-action followed by copa-action
Essentially something like this works, but this causes copa-action to fail due to containerd-snapshotter not being enabled
https://github.com/aquasecurity/trivy-action/issues/278#issuecomment-1854855384
- name: Build image
id: build
uses: docker/build-push-action@v5
with:
file: Dockerfile
load: true
platforms: linux/amd64
push: false
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.build.outputs.imageid }} # or full image name with tag
format: table
exit-code: 1
ignore-unfixed: true
vuln-type: os,library
severity: CRITICAL,HIGH
But if you add this step at the top of the workflow, I get the contiainer build working, docker image ls shows the image wit h tags, but I can't get trivy action to work.
- name: Set up docker
uses: crazy-max/ghaction-setup-docker@v3
with:
version: latest
daemon-config: |
{
"experimental": true,
"features": {
"containerd-snapshotter": true
}
}
I tried a lot of variants but have failed.
If trying to input docker-host to trivy-action:
* docker error: unable to inspect the image (xxxx.azurecr.io/testteam1/testapp1:06-06-2024.788): Cannot connect to the Docker daemon at unix:///home/runner/setup-docker-action-e59d331d/docker.sock. Is the docker daemon running?
Without docker-host: specified I end up with Error: No such image:
@audunsolemdal @sozercan
This is an issue related to the Trivy Github action. When using containerd image store, we create a custom socket and need to be able supply that to Trivy. We can do this with the --docker-host flag when installing Trivy locally.
For example:
- name: Install Trivy
run: |
echo "Downloading Latest Trivy Version"
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . latest
./trivy image --ignore-unfixed --vuln-type os -f json -o report.json --docker-host unix:///${SOCKET} nginx:local
${SOCKET} is the custom socket as we got in the example.
This will allow you to scan the local images before you patch with Copa Action.
It looks like the Trivy action also recently released support for a docker-host argument to the action, but I have not been able to get that to work so far. I will let you know if I can figure out why it works when using Trivy locally but not through the action.
I created an issue ( #46) so this can be better documented along with a workflow that uses a locally built image.
Will this now be possible since https://github.com/project-copacetic/copacetic/pull/1221 is merged?