From 3f1d829fdf3753bb5950bdc8b6d95f2babee6058 Mon Sep 17 00:00:00 2001
From: Timo Reichl <thetredev@gmail.com>
Date: Mon, 10 Apr 2023 17:08:31 +0200
Subject: [PATCH] Remove CVE checks (see readme)

Signed-off-by: Timo Reichl <thetredev@gmail.com>
---
 ...d-scan-push-tag.yml => build-push-tag.yml} | 53 +------------------
 .github/workflows/cve-scan.yml                | 32 -----------
 .github/workflows/docker-build.yml            |  2 +-
 .github/workflows/docker-latest.yml           |  2 +-
 .github/workflows/docker-tag.yml              |  2 +-
 README.md                                     |  2 +-
 scan-local.sh                                 | 17 ------
 7 files changed, 5 insertions(+), 105 deletions(-)
 rename .github/workflows/{build-scan-push-tag.yml => build-push-tag.yml} (63%)
 delete mode 100644 .github/workflows/cve-scan.yml
 delete mode 100755 scan-local.sh

diff --git a/.github/workflows/build-scan-push-tag.yml b/.github/workflows/build-push-tag.yml
similarity index 63%
rename from .github/workflows/build-scan-push-tag.yml
rename to .github/workflows/build-push-tag.yml
index 6b81108..1558f4b 100644
--- a/.github/workflows/build-scan-push-tag.yml
+++ b/.github/workflows/build-push-tag.yml
@@ -1,4 +1,4 @@
-name: Reusable workflow for building and scanning images
+name: Reusable workflow for building and pushing images
 
 on:
   workflow_call:
@@ -35,57 +35,6 @@ jobs:
             docker-compose build ${docker_base_image_type}
           done
 
-      - name: Trivy CVE scan - base
-        if: ${{ inputs.push }}
-        uses: aquasecurity/trivy-action@0.8.0
-        with:
-          image-ref: "${{ env.REGISTRY_IMAGE }}:base"
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
-      - name: Dockle scan - base
-        if: ${{ inputs.push }}
-        uses: erzz/dockle-action@v1.3.1
-        with:
-          image: "${{ env.REGISTRY_IMAGE }}:base"
-          exit-code: '1'
-          dockle-version: '0.4.5'
-
-      - name: Trivy CVE scan - hlds
-        if: ${{ inputs.push }}
-        uses: aquasecurity/trivy-action@0.8.0
-        with:
-          image-ref: "${{ env.REGISTRY_IMAGE }}:hlds"
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
-      - name: Dockle scan - hlds
-        if: ${{ inputs.push }}
-        uses: erzz/dockle-action@v1.3.1
-        with:
-          image: "${{ env.REGISTRY_IMAGE }}:hlds"
-          exit-code: '1'
-          dockle-version: '0.4.5'
-
-      - name: Trivy CVE scan - srcds
-        if: ${{ inputs.push }}
-        uses: aquasecurity/trivy-action@0.8.0
-        with:
-          image-ref: "${{ env.REGISTRY_IMAGE }}:srcds"
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
-      - name: Dockle scan - srcds
-        if: ${{ inputs.push }}
-        uses: erzz/dockle-action@v1.3.1
-        with:
-          image: "${{ env.REGISTRY_IMAGE }}:srcds"
-          exit-code: '1'
-          dockle-version: '0.4.5'
-
       - name: Log in to GHCR
         if: ${{ inputs.push || inputs.tag }}
         uses: docker/login-action@v2
diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
deleted file mode 100644
index 036b24b..0000000
--- a/.github/workflows/cve-scan.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: Check for CVEs on latest tagged image every night
-
-on:
-  schedule:
-    - cron: "0 0 * * *"
-
-env:
-  IMAGE_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}"
-  CRANE_IMAGE: "gcr.io/go-containerregistry/crane:v0.11.0"
-
-jobs:
-  cve-check:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v3
-
-      - id: latest_image
-        name: Get latest image
-        run: |
-          # Get latest tag for base image
-          latest_tag=$(docker run --rm ${CRANE_IMAGE} ls ${IMAGE_REPOSITORY} | grep base | tail -1)
-
-          # Set output to latest image
-          echo "url=${IMAGE_REPOSITORY}:${latest_tag}" >> $GITHUB_OUTPUT
-
-      - name: Scan for CVEs
-        uses: aquasecurity/trivy-action@0.8.0
-        with:
-          image-ref: "${{ steps.latest_image.outputs.url }}"
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 37808b9..844d064 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   build-scan:
-    uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main
+    uses: thetredev/steamcmd/.github/workflows/build-push-tag.yml@main
     with:
       push: false
       tag: false
diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml
index d51cb6a..cc42e5d 100644
--- a/.github/workflows/docker-latest.yml
+++ b/.github/workflows/docker-latest.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   push:
-    uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main
+    uses: thetredev/steamcmd/.github/workflows/build-push-tag.yml@main
     with:
       push: true
       tag: false
diff --git a/.github/workflows/docker-tag.yml b/.github/workflows/docker-tag.yml
index f4d82bf..3effade 100644
--- a/.github/workflows/docker-tag.yml
+++ b/.github/workflows/docker-tag.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   tag:
-    uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main
+    uses: thetredev/steamcmd/.github/workflows/build-push-tag.yml@main
     with:
       push: false
       tag: true
diff --git a/README.md b/README.md
index 2f361ad..8c09b47 100644
--- a/README.md
+++ b/README.md
@@ -105,7 +105,7 @@ The GitHub Actions workflows are setup in the following way:
 - Pushes to the `main` branch lead to the image tags `ghcr.io/thetredev/steamcmd:<image>-latest`, where `<image>` is one of the following: `base`, `hlds` or `srcds` (see *the supported game server images* above)
 - Pushes of tags lead to retagging the `ghcr.io/thetredev/steamcmd:<image>-latest` images to `ghcr.io/thetredev/steamcmd:<image>-<tag>`
 
-All image builds are scanned for CVEs and only pushed as `latest` or the given tag if no CVEs are found. The scans can be viewed publicly [from within the Actions tab](https://github.com/thetredev/steamcmd/actions) at job **build**.
+All image builds used to be scanned for CVEs and only pushed as `latest` or the given tag if no CVEs are found. These scans have been removed and/or disabled since we're relying on official Steam Runtime images now (commit [a64d5003ac8d84eccc6326bc8270eef1105745e0](https://github.com/thetredev/steamcmd/tree/a64d5003ac8d84eccc6326bc8270eef1105745e0)) and we simply trust Valve to make the base images as secure as possible.
 
 ## Known bugs
 See the [project issues](https://github.com/thetredev/steamcmd/issues).
diff --git a/scan-local.sh b/scan-local.sh
deleted file mode 100755
index 619ccc5..0000000
--- a/scan-local.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-source ./local-vars.sh
-
-git_root=$(git rev-parse --show-toplevel)
-docker_image="${REGISTRY_IMAGE}:${1:-srcds}"
-
-docker run --rm \
-    -v ${git_root}/.trivyignore:/.trivyignore:ro \
-    -v ~/.trivy-cache:/root/.cache \
-    -v /var/run/docker.sock:/var/run/docker.sock:ro \
-    aquasec/trivy:0.34.0-amd64 image --severity ${2:-CRITICAL,HIGH,MEDIUM,LOW} ${docker_image}
-
-docker run --rm \
-    -v ${git_root}/.dockleignore:/.dockleignore:ro \
-    -v /var/run/docker.sock:/var/run/docker.sock:ro \
-    goodwithtech/dockle:v0.4.9-amd64 ${docker_image}