[ODS-6126] Use GitHub Action from Docker Scout to analyze docker imag…

…es (#888)
Ed-Fi-Alliance-OSS · Jan 19, 2024 · 662174f · 662174f
1 parent 5578c30
commit 662174f
Show file tree

Hide file tree

Showing 4 changed files with 149 additions and 47 deletions.
diff --git a/.github/workflows/Analyze docker images.yml b/.github/workflows/Analyze docker images.yml
@@ -0,0 +1,85 @@
+# SPDX-License-Identifier: Apache-2.0
+# Licensed to the Ed-Fi Alliance under one or more agreements.
+# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
+# See the LICENSE and NOTICES files in the project root for more information.
+
+name: Analyze Docker Images
+
+on:
+  pull_request:
+    branches: [main, 'ODS-*']
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+env:
+  CURRENT_STANDARD_VERSION: "5.0.0"
+  PACKAGE_VERSION: "7.2"
+  DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
+  DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }}  
+
+jobs:
+  FindStandardAndExtensionVersions:
+    uses: Ed-Fi-Alliance-OSS/Ed-Fi-ODS/.github/workflows/Find Standard and Extension Versions.yml@874b608a0f3a14243e0035dd1222169fafcbe8d3
+    with:
+      calling_branch: ${{ github.head_ref || github.ref_name }}
+
+  analyze-docker:
+    needs: FindStandardAndExtensionVersions
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        StandardVersion: ${{ fromJson(needs.FindStandardAndExtensionVersions.outputs.StandardVersions) }}
+        ExtensionVersion: ${{ fromJson(needs.FindStandardAndExtensionVersions.outputs.ExtensionVersions) }}    
+        dockerfile:
+          [
+            { name: "ods-api-db-admin", path: "alpine/pgsql" },
+            { name: "ods-api-db-ods-minimal", path: "alpine/pgsql" },
+            { name: "ods-api-db-ods-sandbox", path: "alpine/pgsql" },
+            { name: "ods-api-swaggerui", path: "alpine" },
+            { name: "ods-api-web-api", path: "alpine/pgsql" },
+            { name: "ods-api-web-api", path: "alpine/mssql" },            
+            { name: "ods-api-web-sandbox-admin", path: "alpine/pgsql" },
+            { name: "ods-api-web-sandbox-admin", path: "alpine/mssql" }            
+          ]
+    name: ${{ matrix.dockerfile.name }}/${{ matrix.dockerfile.path }} Image for (Standard ${{ matrix.StandardVersion }} Extension ${{ matrix.ExtensionVersion }}) 
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_HUB_TOKEN }}
+
+      - name: Build  ${{ matrix.dockerfile.name }} image in path ${{ matrix.dockerfile.path }}
+        run: |
+          ./get-versions.ps1 -PackageVersion ${{ env.PACKAGE_VERSION }} -StandardVersion ${{ matrix.StandardVersion }} -ExtensionVersion ${{ matrix.ExtensionVersion }} -PreRelease
+          ./Invoke-Build.ps1 -PackageVersion ${{ env.PACKAGE_VERSION }} -PreRelease -ImageName ${{ matrix.dockerfile.name }} -Path ${{ matrix.dockerfile.path }}
+          $image ="edfialliance/${{ matrix.dockerfile.name }}:${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}"
+
+          if ("${{ matrix.dockerfile.path }}" -eq "alpine/mssql") {
+              $image += "-mssql"
+          }          
+          echo "IMAGENAME=$image">> $env:GITHUB_ENV
+        working-directory: Docker
+        shell: pwsh
+
+      - name: Analyze
+        uses: docker/scout-action@7c61653c2736d21969dd4593fde76c670d4a86cb # v1.2.0
+        with:
+          command: cves
+          image: ${{ env.IMAGENAME }}
+          sarif-file: sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json
+          summary: true
+          only-severities: "critical,high"
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: github/codeql-action/upload-sarif@df32e399139a3050671466d7d9b3cbacc1cfd034 #codeql-bundle-v2.15.2
+        with:
+          sarif_file: sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json          
+
diff --git a/.github/workflows/Docker Test.yml b/.github/workflows/Docker Test.yml
@@ -63,17 +63,28 @@ jobs:
       matrix:
         StandardVersion: ${{ fromJson(needs.FindStandardAndExtensionVersions.outputs.StandardVersions) }}
         ExtensionVersion: ${{ fromJson(needs.FindStandardAndExtensionVersions.outputs.ExtensionVersions) }}
-    name: Docker Build (Standard ${{ matrix.StandardVersion }} Extension ${{ matrix.ExtensionVersion }})
+        dockerfile:
+          [
+            { name: "ods-api-db-admin", path: "alpine/pgsql" },
+            { name: "ods-api-db-ods-minimal", path: "alpine/pgsql" },
+            { name: "ods-api-db-ods-sandbox", path: "alpine/pgsql" },
+            { name: "ods-api-swaggerui", path: "alpine" },
+            { name: "ods-api-web-api", path: "alpine/pgsql" },
+            { name: "ods-api-web-api", path: "alpine/mssql" },            
+            { name: "ods-api-web-sandbox-admin", path: "alpine/pgsql" },
+            { name: "ods-api-web-sandbox-admin", path: "alpine/mssql" }            
+          ]        
+    name: ${{ matrix.dockerfile.name }}/${{ matrix.dockerfile.path }} Image for (Standard ${{ matrix.StandardVersion }} Extension ${{ matrix.ExtensionVersion }})
 
     steps:
       - name: Checkout code
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
 
-      - name: Build all of the images
+      - name: Build  ${{ matrix.dockerfile.name }} image in path ${{ matrix.dockerfile.path }}
         # To confirm no errors occur. The "local" one will be built by the e2e
         # testing process.
         run: |
           ./get-versions.ps1 -PackageVersion ${{ env.PACKAGE_VERSION }} -StandardVersion ${{ matrix.StandardVersion }} -ExtensionVersion ${{ matrix.ExtensionVersion }} -PreRelease
-          ./build-images.ps1 -PackageVersion ${{ env.PACKAGE_VERSION }} -PreRelease
+          ./Invoke-Build.ps1 -PackageVersion ${{ env.PACKAGE_VERSION }} -PreRelease -ImageName ${{ matrix.dockerfile.name }} -Path ${{ matrix.dockerfile.path }}
         working-directory: Docker
         shell: pwsh
diff --git a/.github/workflows/Publish to Docker Hub.yml b/.github/workflows/Publish to Docker Hub.yml
@@ -47,7 +47,18 @@ jobs:
       matrix:
         StandardVersion: ${{ fromJson(needs.FindStandardAndExtensionVersions.outputs.StandardVersions) }}
         ExtensionVersion: ${{ fromJson(needs.FindStandardAndExtensionVersions.outputs.ExtensionVersions) }}
-    name: Publish to Docker Hub (Standard ${{ matrix.StandardVersion }} Extension ${{ matrix.ExtensionVersion }})
+        dockerfile:
+          [
+            { name: "ods-api-db-admin", path: "alpine/pgsql" },
+            { name: "ods-api-db-ods-minimal", path: "alpine/pgsql" },
+            { name: "ods-api-db-ods-sandbox", path: "alpine/pgsql" },
+            { name: "ods-api-swaggerui", path: "alpine" },
+            { name: "ods-api-web-api", path: "alpine/pgsql" },
+            { name: "ods-api-web-api", path: "alpine/mssql" },            
+            { name: "ods-api-web-sandbox-admin", path: "alpine/pgsql" },
+            { name: "ods-api-web-sandbox-admin", path: "alpine/mssql" }            
+          ]        
+    name: ${{ matrix.dockerfile.name }}/${{ matrix.dockerfile.path }} Image for (Standard ${{ matrix.StandardVersion }} Extension ${{ matrix.ExtensionVersion }})     
     steps:
       - name: Check for Docker Hub Token
         if: ${{ env.REPOSITORY_OWNER == 'Ed-Fi-Alliance-OSS' && env.DOCKER_HUB_TOKEN == '' }}
@@ -72,7 +83,7 @@ jobs:
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ env.DOCKER_HUB_TOKEN }}
 
-      - name: Build and Push
+      - name: Build  ${{ matrix.dockerfile.name }} image in path ${{ matrix.dockerfile.path }} and Push
         if: ${{ env.DOCKER_HUB_TOKEN != '' }}
         run: |
           # Note: all images will receive the same version number for this Docker release
@@ -84,13 +95,13 @@ jobs:
             }
 
             ./get-versions.ps1 -PackageVersion $package_version -StandardVersion ${{ matrix.StandardVersion }} -ExtensionVersion ${{ matrix.ExtensionVersion }}
-            ./build-images.ps1 -Push -PackageVersion $package_version -Patch ${{ github.run_number }}
+            ./Invoke-Build.ps1 -Push -PackageVersion $package_version -Patch ${{ github.run_number }}  -ImageName ${{ matrix.dockerfile.name }} -Path ${{ matrix.dockerfile.path }}
             Write-Host "This step is triggered manually or by a published release."
           }
           else
           {
             ./get-versions.ps1 -PackageVersion ${{ env.PACKAGE_VERSION }} -StandardVersion ${{ matrix.StandardVersion }} -ExtensionVersion ${{ matrix.ExtensionVersion }} -PreRelease
-            ./build-images.ps1 -Push -PackageVersion ${{ env.PACKAGE_VERSION }} -Patch ${{ github.run_number }} -PreRelease
+            ./Invoke-Build.ps1 -Push -PackageVersion ${{ env.PACKAGE_VERSION }} -Patch ${{ github.run_number }} -PreRelease  -ImageName ${{ matrix.dockerfile.name }} -Path ${{ matrix.dockerfile.path }}
           }
         working-directory: Docker
         shell: pwsh
diff --git a/Docker/build-images.ps1 → Docker/Invoke-Build.ps1 b/Docker/build-images.ps1 → Docker/Invoke-Build.ps1
@@ -22,7 +22,7 @@
     SandboxAdmin: https://dev.azure.com/ed-fi-alliance/Ed-Fi-Alliance-OSS/_artifacts/feed/EdFi/NuGet/EdFi.Suite3.Ods.SandboxAdmin/overview/
 .EXAMPLE
     # Override to apply a custom image repository base name as an alternative to "edfialliance"
-    ./build-images.ps1 -TagBase MyName
+    ./Invoke-Build.ps1 -TagBase MyName
 
     # Result: creates images with tags like "MyName/ods-api-web-api:7.1.15"
 #>
@@ -104,7 +104,15 @@ param (
 
     [Parameter()]
     [string]
-    $ExtensionVersion = $env:EXTENSION_VERSION
+    $ExtensionVersion = $env:EXTENSION_VERSION,
+
+    [Parameter(Mandatory=$true)]
+    [string]
+    $ImageName,
+
+    [Parameter(Mandatory=$true)]
+    [string]
+    $Path  
 )
 
 $ErrorActionPreference = "Stop"
@@ -113,6 +121,29 @@ $ErrorActionPreference = "Stop"
 $semVer = "$PackageVersion.$Patch"
 $major = $($PackageVersion -split "\.")[0]
 
+$BuildArgs = ""
+
+if ($ImageName -eq "ods-api-db-admin") {
+    $BuildArgs = "--build-arg ADMIN_VERSION=$AdminVersion --build-arg SECURITY_VERSION=$SecurityVersion --build-arg STANDARD_VERSION=$StandardVersion"
+}
+elseif ($ImageName -eq "ods-api-db-ods-minimal") {
+    $BuildArgs = "--build-arg ODS_VERSION=$MinimalVersion --build-arg TPDM_VERSION=$TpdmMinimalVersion --build-arg STANDARD_VERSION=$StandardVersion --build-arg EXTENSION_VERSION=$ExtensionVersion"
+}
+elseif ($ImageName -eq "ods-api-db-ods-sandbox") {
+    $BuildArgs = "--build-arg ODS_MINIMAL_VERSION=$MinimalVersion --build-arg ODS_POPULATED_VERSION=$PopulatedVersion --build-arg TPDM_MINIMAL_VERSION=$TpdmMinimalVersion --build-arg TPDM_POPULATED_VERSION=$TpdmPopulatedVersion --build-arg STANDARD_VERSION=$StandardVersion --build-arg EXTENSION_VERSION=$ExtensionVersion"
+}
+elseif ($ImageName -eq "ods-api-web-api") {
+    # Add more conditions as needed
+    $BuildArgs = "--build-arg API_VERSION=$ApiVersion --build-arg STANDARD_VERSION=$StandardVersion"
+}
+elseif ($ImageName -eq "ods-api-swaggerui") {
+    $BuildArgs = "--build-arg SWAGGER_VERSION=$SwaggerVersion"
+}
+elseif ($ImageName -eq "ods-api-web-sandbox-admin") {
+    $BuildArgs = "--build-arg SANDBOX_VERSION=$SandboxVersion"
+}
+
+
 function Write-Message {
     param(
         [Parameter(Mandatory=$true)]
@@ -125,20 +156,8 @@ function Write-Message {
     $host.UI.RawUI.ForegroundColor = $default
 }
 
-function Invoke-Build {
-    param(
-        [Parameter(Mandatory=$true)]
-        [string]
-        $ImageName,
-
-        [Parameter(Mandatory=$true)]
-        [string]
-        $Path,
-
-        [string]
-        $BuildArgs
-    )
 
+function Invoke-Build {
     $mssql = ""
     if ($Path.EndsWith("mssql")) {
         $mssql = "-mssql"
@@ -177,28 +196,4 @@ function Invoke-Build {
     Pop-Location
 }
 
-# Note: "gateway" is for local testing only and therefore should not be included in this script.
-
-Invoke-Build -ImageName ods-api-db-admin -Path alpine/pgsql `
-    -BuildArgs "--build-arg ADMIN_VERSION=$AdminVersion --build-arg SECURITY_VERSION=$SecurityVersion --build-arg STANDARD_VERSION=$StandardVersion"
-
-Invoke-Build -ImageName ods-api-db-ods-minimal -Path alpine/pgsql `
-    -BuildArgs "--build-arg ODS_VERSION=$MinimalVersion --build-arg TPDM_VERSION=$TpdmMinimalVersion --build-arg STANDARD_VERSION=$StandardVersion --build-arg EXTENSION_VERSION=$ExtensionVersion"
-
-Invoke-Build -ImageName ods-api-db-ods-sandbox -Path alpine/pgsql `
-    -BuildArgs "--build-arg ODS_MINIMAL_VERSION=$MinimalVersion --build-arg ODS_POPULATED_VERSION=$PopulatedVersion --build-arg TPDM_MINIMAL_VERSION=$TpdmMinimalVersion --build-arg TPDM_POPULATED_VERSION=$TpdmPopulatedVersion --build-arg STANDARD_VERSION=$StandardVersion --build-arg EXTENSION_VERSION=$ExtensionVersion"
-
-Invoke-Build -ImageName ods-api-web-api -Path alpine/pgsql `
-    -BuildArgs "--build-arg API_VERSION=$ApiVersion --build-arg STANDARD_VERSION=$StandardVersion"
-
-Invoke-Build -ImageName ods-api-web-api -Path alpine/mssql `
-    -BuildArgs "--build-arg API_VERSION=$ApiVersion --build-arg STANDARD_VERSION=$StandardVersion"
-
-Invoke-Build -ImageName ods-api-swaggerui -Path alpine `
-    -BuildArgs "--build-arg SWAGGER_VERSION=$SwaggerVersion"
-
-Invoke-Build -ImageName ods-api-web-sandbox-admin -Path alpine/mssql `
-    -BuildArgs "--build-arg SANDBOX_VERSION=$SandboxVersion"
-
-Invoke-Build -ImageName ods-api-web-sandbox-admin -Path alpine/pgsql `
-    -BuildArgs "--build-arg SANDBOX_VERSION=$SandboxVersion"
+Invoke-Build