docker
/
buildx
mirror of https://github.com/docker/buildx.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2631 from crazy-max/govulncheck 

govulncheck to report known vulnerabilities
This commit is contained in:
CrazyMax 2024-07-30 12:37:43 +02:00 committed by GitHub
parent d130f8ef0a 386d599309
commit f4da6b8f69
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 68 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.github/workflows/build.yml vendored
View File

@ -215,6 +215,36 @@ jobs:
name: test-reports-${{ env.TESTREPORTS_NAME }} name: test-reports-${{ env.TESTREPORTS_NAME }}
path: ${{ env.TESTREPORTS_BASEDIR }} path: ${{ env.TESTREPORTS_BASEDIR }}
govulncheck:
runs-on: ubuntu-24.04
permissions:
# required to write sarif report
security-events: write
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ env.BUILDX_VERSION }}
driver-opts: image=${{ env.BUILDKIT_IMAGE }}
buildkitd-flags: --debug
-
name: Run
uses: docker/bake-action@v5
with:
targets: govulncheck
env:
GOVULNCHECK_FORMAT: sarif
-
name: Upload SARIF report
if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ env.DESTDIR }}/govulncheck.out
prepare-binaries: prepare-binaries:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
outputs: outputs:

15
docker-bake.hcl
View File

@ -217,3 +217,18 @@ target "integration-test" {
inherits = ["integration-test-base"] inherits = ["integration-test-base"]
target = "integration-test" target = "integration-test"
} }
variable "GOVULNCHECK_FORMAT" {
default = null
}
target "govulncheck" {
inherits = ["_common"]
dockerfile = "./hack/dockerfiles/govulncheck.Dockerfile"
target = "output"
args = {
FORMAT = GOVULNCHECK_FORMAT
}
no-cache-filter = ["run"]
output = ["${DESTDIR}"]
}

23
hack/dockerfiles/govulncheck.Dockerfile Normal file
View File

@ -0,0 +1,23 @@
# syntax=docker/dockerfile:1
ARG GO_VERSION="1.22"
ARG GOVULNCHECK_VERSION="v1.1.3"
ARG FORMAT="text"
FROM golang:${GO_VERSION}-alpine AS base
WORKDIR /go/src/github.com/docker/buildx
ARG GOVULNCHECK_VERSION
RUN --mount=type=cache,target=/root/.cache \
--mount=type=cache,target=/go/pkg/mod \
go install golang.org/x/vuln/cmd/govulncheck@$GOVULNCHECK_VERSION
FROM base AS run
ARG FORMAT
RUN --mount=type=bind,target=. <<EOT
set -ex
mkdir /out
govulncheck -format ${FORMAT} ./... | tee /out/govulncheck.out
EOT
FROM scratch AS output
COPY --from=run /out /