Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 94 additions & 22 deletions .github/workflows/docker-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -135,12 +135,12 @@ jobs:
tags: ${{ matrix.tag }}

# ---------------------------------------------------------------
# Build image and generate SBOM
# FedRAMP compliance validation
# ---------------------------------------------------------------
scan:
fedramp-compliance:
needs: [hadolint]
if: github.event_name == 'merge_group' || github.event_name == 'workflow_dispatch'
name: Security Scan
name: FedRAMP Compliance
runs-on: ubuntu-latest
timeout-minutes: 30

Expand All @@ -153,18 +153,6 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

- name: Build image locally
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
file: Containerfile.lite
platforms: linux/amd64
push: false
load: true
tags: ${{ env.IMAGE_NAME }}:scan
cache-from: type=gha,scope=containerfile-lite-amd64
cache-to: type=gha,mode=max,scope=containerfile-lite-amd64

- name: Build image locally (FIPS enabled)
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
Expand Down Expand Up @@ -195,22 +183,105 @@ jobs:
${{ env.IMAGE_NAME }}:fedramp-validate \
-c "$(cat scripts/fedramp-validate.sh)"

- name: Generate SBOM (Syft)
- name: Generate SBOM
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # 0.24.0
with:
image: ${{ env.IMAGE_NAME }}:fedramp-validate
output-file: sbom-fedramp.spdx.json

- name: Scan SBOM for vulnerabilities (Grype)
id: scan-fedramp
uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # 7.4.0
with:
sbom: sbom-fedramp.spdx.json
only-fixed: true
fail-build: true
severity-cutoff: high
cache-db: true
output-format: ${{ github.event_name == 'merge_group' && 'sarif' || 'table' }}

- name: Display SARIF file (merge_group only)
if: always() && github.event_name == 'merge_group'
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "${PWD}:/work" \
anchore/syft:v1.42.3 \
"docker:${IMAGE_NAME}:scan" -o spdx-json=/work/sbom.spdx.json
echo "::group::SARIF file contents (FedRAMP)"
cat "${{ steps.scan-fedramp.outputs.sarif }}"
echo "::endgroup::"

- name: Upload SARIF to CodeQL
if: always() && github.event_name == 'merge_group'
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: "${{ steps.scan-fedramp.outputs.sarif }}"
category: fedramp-fips

- name: Upload SBOM
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: sbom-fedramp
path: sbom-fedramp.spdx.json
retention-days: 30

# ---------------------------------------------------------------
# Build image and generate SBOM
# ---------------------------------------------------------------
scan:
needs: [hadolint]
if: github.event_name == 'merge_group' || github.event_name == 'workflow_dispatch'
name: Security Scan
runs-on: ubuntu-latest
timeout-minutes: 30

steps:
- name: Checkout code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

- name: Build image locally
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
file: Containerfile.lite
platforms: linux/amd64
push: false
load: true
tags: ${{ env.IMAGE_NAME }}:scan
cache-from: type=gha,scope=containerfile-lite-amd64
cache-to: type=gha,mode=max,scope=containerfile-lite-amd64

- name: Generate SBOM
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # 0.24.0
with:
image: ${{ env.IMAGE_NAME }}:scan
output-file: sbom.spdx.json

- name: Scan SBOM for vulnerabilities (Grype)
uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
id: scan
with:
sbom: sbom.spdx.json
only-fixed: true
fail-build: true
severity-cutoff: high
cache-db: true
output-format: ${{ github.event_name == 'merge_group' && 'sarif' || 'table' }}

- name: Display SARIF file (merge_group only)
if: always() && github.event_name == 'merge_group'
run: |
echo "::group::SARIF file contents"
cat "${{ steps.scan.outputs.sarif }}"
echo "::endgroup::"

- name: Upload SARIF to CodeQL
if: always() && github.event_name == 'merge_group'
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: "${{ steps.scan.outputs.sarif }}"
category: standard

- name: Upload SBOM
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
Expand All @@ -232,7 +303,7 @@ jobs:
# ---------------------------------------------------------------
docker-scan-complete:
name: Docker Scan Complete
needs: [hadolint, container-smoke, scan]
needs: [hadolint, container-smoke, fedramp-compliance, scan]
runs-on: ubuntu-slim
if: always()
steps:
Expand All @@ -241,6 +312,7 @@ jobs:
results=(
"${{ needs.hadolint.result }}"
"${{ needs.container-smoke.result }}"
"${{ needs.fedramp-compliance.result }}"
"${{ needs.scan.result }}"
)
failed=0
Expand Down
8 changes: 5 additions & 3 deletions Containerfile.lite
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,9 @@ ARG ENABLE_PROFILING=false
# --build-arg NODEJS_IMAGE=<internal-registry>/ubi9/nodejs-20:latest \
# --build-arg UBI_MINIMAL=<internal-registry>/ubi9/ubi-minimal:latest \
# .
ARG UBI_BASE=registry.access.redhat.com/ubi10:1781510254
ARG NODEJS_IMAGE=registry.access.redhat.com/ubi10/nodejs-24:1781700998
ARG UBI_MINIMAL=registry.access.redhat.com/ubi10/ubi-minimal:1781509581
ARG UBI_BASE=registry.access.redhat.com/ubi10/ubi:1782798870
ARG NODEJS_IMAGE=registry.access.redhat.com/ubi10/nodejs-24:1782869136
ARG UBI_MINIMAL=registry.access.redhat.com/ubi10/ubi-minimal:1782799082
# Wheel closure stage — used only for s390x and ppc64le where PyPI manylinux
# binary wheels are unavailable (tiktoken/psycopg/cryptography require native
# compilation, and psycopg-binary has no s390x wheel at all).
Expand Down Expand Up @@ -530,3 +530,5 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
# docker run -e HTTP_SERVER=granian mcpgateway # Alternative
ENV HTTP_SERVER=gunicorn
CMD ["./docker-entrypoint.sh"]

# vim: ft=dockerfile
Loading