Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci/patch images #209

Closed
wants to merge 40 commits into from
Closed

ci/patch images #209

wants to merge 40 commits into from

Conversation

R3DRUN3
Copy link

@R3DRUN3 R3DRUN3 commented Mar 7, 2024

Reason for the Pull Request

Implementing a pipeline for automatic hardening, signing, and attestation of Fury images.

What it adds

A straightforward Python utility to compile a json file with the list of images requiring patching and a GitHub Action for patching.

Additional Notes

To function properly, the pipeline requires the following secrets to be configured within the repository:

  • COSIGN_PASSWORD
  • COSIGN_PRIVATE_KEY
  • SIGHUP_REGISTRY_USERNAME
  • SIGHUP_REGISTRY_PASSWORD

ralgozino
ralgozino requested changes Mar 8, 2024
View reviewed changes
utilities/image_list_json.py Show resolved Hide resolved
utilities/image_list_json.py Show resolved Hide resolved
utilities/image_list_json.py Outdated Show resolved Hide resolved
utilities/image_list_json.py Outdated Show resolved Hide resolved
utilities/image_list_json.py Outdated Show resolved Hide resolved
.github/workflows/patch.yaml Outdated Show resolved Hide resolved
.github/workflows/patch.yaml Show resolved Hide resolved
R3DRUN3 and others added 4 commits March 8, 2024 14:33
R3DRUN3
R3DRUN3 commented Mar 8, 2024
View reviewed changes
Copy link
Author

@R3DRUN3 R3DRUN3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 😊

@R3DRUN3 R3DRUN3 requested a review from ralgozino March 8, 2024 15:36
ralgozino
ralgozino previously approved these changes Mar 14, 2024
View reviewed changes
Copy link
Member

@ralgozino ralgozino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR code-wise looks good to me.

I don't have enough context to say if this is the right way to solve the problem though. I'd leave the final approve to @nutellinoit

nutellinoit
nutellinoit requested changes Mar 14, 2024
View reviewed changes
Copy link
Member

@nutellinoit nutellinoit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are also syncing multi-arch images, for example https://github.com/sighupio/fury-distribution-container-image-sync/blob/main/modules/monitoring/images.yml#L256

How did you achieve that?

BTW, we need to fix a call to discuss this change

@R3DRUN3
Copy link
Author

R3DRUN3 commented Mar 15, 2024

@nutellinoit

How did you achieve that?

Unfortunately, at the moment, Copa does not support out-of-the-box and seamless patching of multi-architecture images.
Please note that this patching mechanism is best effort; therefore, we cannot guarantee that all images will be patched. Some may not have known vulnerabilities, others may have a peculiar combination of OS and libraries, causing the Copa process to fail, etc.

BTW, we need to fix a call to discuss this change.

Yes, we definitely need to schedule a call as there are a few matters we need to discuss.
I have also noticed that, for some images, you are using the latest tag and not opting for lightweight images (e.g., those based on Alpine)...we need to address this point as well.

nutellinoit and others added 19 commits April 18, 2024 16:23
@nutellinoit
chore: bump cosign version to 2.2.4
79f5145
@nutellinoit
chore: bump also cosign installer action
91b858d
@nutellinoit
feat: add parameter on images.yml "cve_patch_enabled" to trigger patc…
322a3e9 
…h CI
@nutellinoit
feat: enable also HIGH cve on patch process
c8d7d41
@nutellinoit
feat: enabled additional images with errors in different places
de04fbb
@R3DRUN3
ci(patch): fix image tag
b137336 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): fix image tag
0411cd6 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
b04d602 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
3cc4854 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
560dfdc 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
48b0b29 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
8e69ef0 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
16f6f96 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): always push an image on secured path
5afac4c 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
a4b12b5 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
4ba46cf 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
8014e3a 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
5372780 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
ci(patch): test
6938d4d 
Signed-off-by: r3drun3 <[email protected]>
@R3DRUN3
Copy link
Author

R3DRUN3 commented Jun 6, 2024
edited
Loading

Warning

Given the recent amendments made to SSC, this PR might be deprecated.
I recommend aligning it with the SSC pipeline (excluding product-specific changes like the self-hosted runner steps, harbor path, email report, unit tests etc.).

@R3DRUN3 R3DRUN3 closed this Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nutellinoit nutellinoit nutellinoit requested changes

@ralgozino ralgozino ralgozino left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@R3DRUN3 @ralgozino @nutellinoit