Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE 2023 2975 #145

Merged
merged 7 commits into from
Aug 2, 2023
Merged

Fix CVE 2023 2975 #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0575de8
feat: add govulncheck to sec analysis
wakeward Jul 31, 2023
827c2c1
fix: making scratch primary container
wakeward Jul 31, 2023
6bd2e15
fix: removing trivy from sec analysis
wakeward Jul 31, 2023
cd6ccb0
refactor: bump go.mod to 1.20
wakeward Jul 31, 2023
e0c3585
wip: test gh action for govulncheck
wakeward Jul 31, 2023
edb2cd0
feat: replaced trivy with govulncheck
wakeward Jul 31, 2023
a53c0bf
refactor: changed default release to scratch
wakeward Jul 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/release_containers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ jobs:
- name: badrobot
file: ./Dockerfile
suffix: ""
- name: badrobot scratch
file: ./Dockerfile.scratch
suffix: -scratch
- name: badrobot alpine
file: ./Dockerfile.alpine
suffix: -alpine

steps:
- name: Cache container layers
Expand Down
25 changes: 7 additions & 18 deletions .github/workflows/security_analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,26 +25,15 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2

trivy:
name: Trivy
govulncheck:
name: govulncheck
runs-on: ubuntu-latest
steps:
- name: Checkout code
- name: Checkout repository
uses: actions/checkout@v3

- name: Build an image from Dockerfile
run: |
docker build . -t badrobot:${{ github.sha }}

- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: badrobot:${{ github.sha }}
format: template
template: "@/contrib/sarif.tpl"
output: trivy-results.sarif

- name: Upload Trivy results to the Security tab
uses: github/codeql-action/upload-sarif@v2
- name: Vulnerability Scan Go Code
uses: Templum/[email protected]
with:
sarif_file: trivy-results.sarif
go-version: 1.20.6
vulncheck-version: v1.0.0
18 changes: 6 additions & 12 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,21 @@
FROM golang:1.20.6-alpine AS builder
ARG VERSION=unknown
ARG COMMIT=unknown

RUN echo "badrobot:x:25000:25000:badrobot:/home/badrobot:/sbin/nologin" > /passwd && \
echo "badrobot:x:25000:" > /group
WORKDIR /badrobot

RUN apk add --no-cache ca-certificates
COPY . .

RUN CGO_ENABLED=0 GOOS=linux go build \
-ldflags="-s -w -X github.com/controlplaneio/badrobot/cmd.version=$VERSION -X github.com/controlplaneio/badrobot/cmd.commit=$COMMIT" \
-o badrobot .

# ===

FROM alpine:3.18.2

RUN addgroup -S badrobot \
&& adduser -S -g badrobot badrobot \
&& apk --no-cache add ca-certificates

FROM scratch
WORKDIR /home/badrobot

COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /passwd /group /etc/
hennersz marked this conversation as resolved.
Show resolved Hide resolved
COPY --from=builder /badrobot/badrobot /bin/badrobot

USER badrobot

ENTRYPOINT ["/bin/badrobot"]
18 changes: 12 additions & 6 deletions Dockerfile.scratch → Dockerfile.alpine
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,27 @@
FROM golang:1.20.6-alpine AS builder
ARG VERSION=unknown
ARG COMMIT=unknown

RUN echo "badrobot:x:25000:25000:badrobot:/home/badrobot:/sbin/nologin" > /passwd && \
echo "badrobot:x:25000:" > /group
WORKDIR /badrobot
RUN apk add --no-cache ca-certificates

COPY . .

RUN CGO_ENABLED=0 GOOS=linux go build \
-ldflags="-s -w -X github.com/controlplaneio/badrobot/cmd.version=$VERSION -X github.com/controlplaneio/badrobot/cmd.commit=$COMMIT" \
-o badrobot .

# ===

FROM scratch
FROM alpine:3.18.2

RUN addgroup -S badrobot \
&& adduser -S -g badrobot badrobot \
&& apk --no-cache add ca-certificates

WORKDIR /home/badrobot
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /passwd /group /etc/

COPY --from=builder /badrobot/badrobot /bin/badrobot

USER badrobot

ENTRYPOINT ["/bin/badrobot"]
4 changes: 2 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/controlplaneio/badrobot

go 1.19
go 1.20

require (
github.com/ghodss/yaml v1.0.0
Expand All @@ -27,7 +27,7 @@ require (
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/apimachinery v0.27.4 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
)
2 changes: 2 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,8 @@ k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=
Expand Down