feat(cve-scan-patch): improve logging and bugfixing #66
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Vulnerability detection and patching" | |
| permissions: | |
| contents: write | |
| on: | |
| push: | |
| paths: | |
| - .github/workflows/cve-scan-and-patching.yml | |
| - CVEs/** | |
| #branches: | |
| # - "main" | |
| #schedule: | |
| # - cron: "0 2 * * *" | |
| jobs: | |
| fetch_kfd_versions: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: Set output | |
| id: set_output | |
| run: | | |
| KFD_VERSIONS=$(find CVEs -name "v*" -type d -maxdepth 1 -mindepth 1 | cut -d/ -f2 | sort) | |
| echo "KFD_VERSIONS_JSON=[\"${KFD_VERSIONS//[$'\r\n']/\",\"}\"]" >> "$GITHUB_OUTPUT" | |
| echo "KFD_VERSIONS_LIST=${KFD_VERSIONS//[$'\r\n']/ }" >> "$GITHUB_OUTPUT" | |
| echo "TODAY_DATE=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT" | |
| outputs: | |
| kfd_versions_json: ${{ steps.set_output.outputs.KFD_VERSIONS_JSON }} | |
| kfd_versions_list: ${{ steps.set_output.outputs.KFD_VERSIONS_JSON }} | |
| today_date: ${{ steps.set_output.outputs.TODAY_DATE }} | |
| scan_pre_patch: | |
| runs-on: ubuntu-latest | |
| needs: fetch_kfd_versions | |
| continue-on-error: true | |
| strategy: | |
| # max-parallel: 3 | |
| fail-fast: false | |
| matrix: | |
| kfd_version: ${{ fromJson(needs.fetch_kfd_versions.outputs.kfd_versions_json) }} | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: Login to SIGHUP Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: registry.sighup.io | |
| username: ${{ secrets.SIGHUP_REGISTRY_USERNAME }} | |
| password: ${{ secrets.SIGHUP_REGISTRY_PASSWORD }} | |
| - name: Install furyctl, trivy | |
| run: | | |
| sudo apt-get install wget apt-transport-https gnupg | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null | |
| echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| trivy --version | |
| wget https://github.com/sighupio/furyctl/releases/download/v0.29.8/furyctl-linux-amd64.tar.gz | |
| tar -xzvf furyctl-linux-amd64.tar.gz -C /usr/local/bin/ | |
| furyctl version | |
| - name: Execute CVEs scan for KFD ${{ matrix.kfd_version }} | |
| id: scan_pre_patch | |
| run: | | |
| cd CVEs | |
| make trivy-download-db | |
| make scan-pre-patch KFD_VERSIONS="${{ matrix.kfd_version }}" | |
| - name: publish CVE scan pre patch output files for KFD ${{ matrix.kfd_version }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.kfd_version }} | |
| path: | | |
| CVEs/${{ matrix.kfd_version }}/images.txt | |
| CVEs/${{ matrix.kfd_version }}/FURY-CVEs.md | |
| fetch_kfd_images_to_patch: | |
| runs-on: ubuntu-latest | |
| needs: scan_pre_patch | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: download CVE scan pre patch output files | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: CVEs | |
| - name: Set output | |
| id: set_output | |
| run: | | |
| cd CVEs | |
| make concat-multiple-kfd-images-list | |
| IMAGES_TO_PATCH=$(cat all_kfd_images.txt) | |
| echo "IMAGES_TO_PATCH_JSON=[\"${IMAGES_TO_PATCH//[$'\r\n']/\",\"}\"]" >> "$GITHUB_OUTPUT" | |
| outputs: | |
| images_to_patch_json: ${{ steps.set_output.outputs.IMAGES_TO_PATCH_JSON }} | |
| patch: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - fetch_kfd_images_to_patch | |
| continue-on-error: true | |
| strategy: | |
| # max-parallel: 2 | |
| fail-fast: false | |
| matrix: | |
| image_to_patch: ${{ fromJson(needs.fetch_kfd_images_to_patch.outputs.images_to_patch_json) }} | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Login to SIGHUP new Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: registry.sighup.io | |
| username: ${{ secrets.SIGHUP_REGISTRY_USERNAME }} | |
| password: ${{ secrets.SIGHUP_REGISTRY_PASSWORD }} | |
| - name: Install buildkit, trivy and copa | |
| run: | | |
| sudo apt-get install wget apt-transport-https gnupg | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null | |
| echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| trivy --version | |
| wget https://github.com/moby/buildkit/releases/download/v0.16.0/buildkit-v0.16.0.linux-amd64.tar.gz | |
| tar -xzvf buildkit-v0.16.0.linux-amd64.tar.gz -C /usr/local/bin/ --strip-components=1 | |
| buildctl --version | |
| wget https://github.com/project-copacetic/copacetic/releases/download/v0.8.0/copa_0.8.0_linux_amd64.tar.gz | |
| tar -xzvf copa_0.8.0_linux_amd64.tar.gz | |
| chmod +x copa | |
| sudo mv copa /usr/local/bin/ | |
| copa --version | |
| - name: Execute CVEs patching | |
| id: patching | |
| run: | | |
| IMAGE_TO_PATCH=${{ matrix.image_to_patch }} | |
| IMAGE_TO_PATCH_NORMALIZED=${IMAGE_TO_PATCH//[:\/]/_} | |
| cd CVEs | |
| mkdir -p reports | |
| make trivy-download-db | |
| DOCKER_CONFIG="${DOCKER_CONFIG}" make patch IMAGE_TO_PATCH="${IMAGE_TO_PATCH}" PATCH_REPORT_OUTPUT_FILE="reports/${IMAGE_TO_PATCH_NORMALIZED}.patched.md" | |
| echo "IMAGE_TO_PATCH_NORMALIZED=${IMAGE_TO_PATCH_NORMALIZED}" >> "$GITHUB_OUTPUT" | |
| - name: publish CVE patching report for ${{ matrix.image_to_patch }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: patch-report-${{ steps.patching.outputs.IMAGE_TO_PATCH_NORMALIZED }}.md | |
| if-no-files-found: ignore | |
| path: | | |
| CVEs/reports/*.patched.md | |
| scan_post_patch: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - fetch_kfd_versions | |
| - patch | |
| continue-on-error: true | |
| strategy: | |
| # max-parallel: 3 | |
| matrix: | |
| kfd_version: ${{ fromJson(needs.fetch_kfd_versions.outputs.kfd_versions_json) }} | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: Login to SIGHUP Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: registry.sighup.io | |
| username: ${{ secrets.SIGHUP_REGISTRY_USERNAME }} | |
| password: ${{ secrets.SIGHUP_REGISTRY_PASSWORD }} | |
| - name: Install trivy | |
| run: | | |
| sudo apt-get install wget apt-transport-https gnupg | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null | |
| echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| trivy --version | |
| - name: download CVE scan pre patch output files | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: CVEs | |
| - name: Execute CVEs scan post patch for KFD ${{ matrix.kfd_version }} | |
| id: scan_post_patch | |
| run: | | |
| cd CVEs | |
| find . | |
| make trivy-download-db | |
| make scan-post-patch KFD_VERSIONS="${{ matrix.kfd_version }}" | |
| - name: publish CVE scan post patch output files for KFD ${{ matrix.kfd_version }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cve-reports-${{ matrix.kfd_version }} | |
| path: | | |
| CVEs/${{ matrix.kfd_version }}/images.txt | |
| CVEs/${{ matrix.kfd_version }}/images-patched.txt | |
| CVEs/${{ matrix.kfd_version }}/FURY-CVEs.md | |
| CVEs/${{ matrix.kfd_version }}/FURY-SECURED-CVEs.md | |
| report: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - scan_post_patch | |
| steps: | |
| - name: download CVE patching output files | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: reports | |
| pattern: patch-report-*.md | |
| merge-multiple: true | |
| - name: publish CVE patching reports | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cve-patch-reports-by-image | |
| path: | | |
| reports/*.patched.md | |
| - uses: geekyeggo/delete-artifact@v5 | |
| with: | |
| name: | | |
| patch-report-*.md | |
| v* | |
| failOnError: false |