Scan images using Trivy (#685)

* Scan images using Trivy

* use python 3.12 base image

python 3.12.4 did not work, which is why the version was pinned to 3.12.3.
However, the most recent python 3.12 version should work again.

* continue to build and scan images after one build / scan fails

e.g. when python 3.10 is vulnerable and fails, we still want to scan 3.11 and 3.12.


* add trivy config and ignore file

Author: P4sca1

.github/workflows/ci.yml

@@ -95,8 +95,9 @@ jobs:
 
   containerbuild:
     strategy:
+      fail-fast: false
       matrix:
-        python-version: ["3.10", "3.11", "3.12.3"]
+        python-version: ["3.10", "3.11", "3.12"]
 
     runs-on: ubuntu-latest
     steps:
@@ -111,7 +112,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and export to Docker
+      - name: Build image and export to Docker
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -122,17 +123,46 @@ jobs:
           tags: |
             ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
 
-      - name: Test
+      - name: Ensure logprep is available in image
         run: |
           docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version
-
-      - name: Build images
+  
+      # This step will build the image again, but every layer will already be cached, so it is nearly instantaneous.
+      - name: Push image
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: true # Will only build if this is not here
+          push: true
           build-args: |
             LOGPREP_VERSION=dev
             PYTHON_VERSION=${{ matrix.python-version }}
           tags: |
             ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
+  
+      # To avoid the trivy-db becoming outdated, we save the cache for one day
+      - name: Get date
+        id: date
+        run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
+
+      - name: Restore trivy cache
+        uses: actions/cache@v4
+        with:
+          path: cache/db
+          key: trivy-cache-${{ steps.date.outputs.date }}
+          restore-keys:
+            trivy-cache-
+      
+      - name: Scan image using Trivy
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_CACHE_DIR: ./cache
+        with:
+          scan-type: image
+          image-ref: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}
+          trivy-config: trivy.yaml
+
+      # Trivy-db uses `0600` permissions.
+      # But `action/cache` use `runner` user by default
+      # So we need to change the permissions before caching the database.
+      - name: Change permissions for trivy.db
+        run: sudo chmod 0644 ./cache/db/trivy.db

.github/workflows/publish-latest-dev-release-to-pypi.yml

@@ -49,7 +49,7 @@ jobs:
   containerbuild:
     strategy:
       matrix:
-        python-version: ["3.10", "3.11", "3.12.3"]
+        python-version: ["3.10", "3.11", "3.12"]
 
     runs-on: ubuntu-latest
     steps:

.github/workflows/publish-release-to-pypi.yml

@@ -62,7 +62,7 @@ jobs:
   containerbuild:
     strategy:
       matrix:
-        python-version: ["3.10", "3.11", "3.12.3"]
+        python-version: ["3.10", "3.11", "3.12"]
 
     runs-on: ubuntu-latest
     needs: publish-latest-release-to-pypi

.github/workflows/testing.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        python-version: ["3.10", "3.11", "3.12.3"]
+        python-version: ["3.10", "3.11", "3.12"]
         test-type: ["unit", "acceptance"]
     steps:
       - uses: actions/checkout@v4

.trivyignore

@@ -0,0 +1,2 @@
+# Ignore Python 3.10 CVE that is only fixed in Python 3.11 as long as we still support Python 3.10.
+CVE-2023-36632

trivy.yaml

@@ -0,0 +1,15 @@
+# https://aquasecurity.github.io/trivy/v0.56/docs/references/configuration/config-file/
+format: table
+report: all
+ignorefile: .trivyignore
+exit-code: 1
+severity:
+  - HIGH
+  - CRITICAL
+timeout: 10m
+scan:
+  scanners:
+    - vuln
+    - secret
+vulnerability:
+  ignore-unfixed: true