From 386d599309e7b18f71a0328757fd08ea3359ed34 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 24 Jul 2024 14:01:50 +0200 Subject: [PATCH] govulncheck to report known vulnerabilities Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/build.yml | 30 +++++++++++++++++++++++++ docker-bake.hcl | 15 +++++++++++++ hack/dockerfiles/govulncheck.Dockerfile | 23 +++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 hack/dockerfiles/govulncheck.Dockerfile diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 715d22d4..6b34dbb2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -215,6 +215,36 @@ jobs: name: test-reports-${{ env.TESTREPORTS_NAME }} path: ${{ env.TESTREPORTS_BASEDIR }} + govulncheck: + runs-on: ubuntu-24.04 + permissions: + # required to write sarif report + security-events: write + steps: + - + name: Checkout + uses: actions/checkout@v4 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + version: ${{ env.BUILDX_VERSION }} + driver-opts: image=${{ env.BUILDKIT_IMAGE }} + buildkitd-flags: --debug + - + name: Run + uses: docker/bake-action@v5 + with: + targets: govulncheck + env: + GOVULNCHECK_FORMAT: sarif + - + name: Upload SARIF report + if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }} + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ env.DESTDIR }}/govulncheck.out + prepare-binaries: runs-on: ubuntu-24.04 outputs: diff --git a/docker-bake.hcl b/docker-bake.hcl index b13663d1..fe6a78a5 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -217,3 +217,18 @@ target "integration-test" { inherits = ["integration-test-base"] target = "integration-test" } + +variable "GOVULNCHECK_FORMAT" { + default = null +} + +target "govulncheck" { + inherits = ["_common"] + dockerfile = "./hack/dockerfiles/govulncheck.Dockerfile" + target = "output" + args = { + FORMAT = GOVULNCHECK_FORMAT + } + no-cache-filter = ["run"] + output = ["${DESTDIR}"] +} diff --git a/hack/dockerfiles/govulncheck.Dockerfile b/hack/dockerfiles/govulncheck.Dockerfile new file mode 100644 index 00000000..2d334c7a --- /dev/null +++ b/hack/dockerfiles/govulncheck.Dockerfile @@ -0,0 +1,23 @@ +# syntax=docker/dockerfile:1 + +ARG GO_VERSION="1.22" +ARG GOVULNCHECK_VERSION="v1.1.3" +ARG FORMAT="text" + +FROM golang:${GO_VERSION}-alpine AS base +WORKDIR /go/src/github.com/docker/buildx +ARG GOVULNCHECK_VERSION +RUN --mount=type=cache,target=/root/.cache \ + --mount=type=cache,target=/go/pkg/mod \ + go install golang.org/x/vuln/cmd/govulncheck@$GOVULNCHECK_VERSION + +FROM base AS run +ARG FORMAT +RUN --mount=type=bind,target=. <