IT-3421: Add vulnerability scanning to repo

.github/workflows/docker_build_push.yml

@@ -1,4 +1,9 @@
 ---
+#
+# This workflow builds a Docker image and passes it to Trivy for
+# vulnerability scanning, only publishing it to ghrc.io if
+# the scan passes.
+#
 name: Build and publish a Docker image
 
 on:
@@ -9,39 +14,87 @@ on:
         type: string
 
 env:
-  REGISTRY: ghcr.io
   IMAGE_PATH: ghcr.io/${{ github.repository }}-${{ inputs.NOTEBOOK_TYPE }}
+  TARFILE_NAME: ${{ inputs.NOTEBOOK_TYPE }}-image.tar
 
 jobs:
-  build-and-push-image:
+  build:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
-
-      - name: Log in to the Container registry
-        uses: docker/[email protected]
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        uses: actions/checkout@v4
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/[email protected]
         with:
           images: ${{ env.IMAGE_PATH }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}} # major.minor.patch
+            type=semver,pattern={{major}}.{{minor}}
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v3.2.0
+      - name: Build Docker image for scanning, but don't push to ghcr.io yet
+        uses: docker/build-push-action@v6.4.0
         with:
           context: .
           build-args: notebook_type=${{ inputs.NOTEBOOK_TYPE }}
-          push: true
+          push: false
+          outputs: type=tar,dest=${{ env.TARFILE_NAME }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Upload tarball for use by Trivy job
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: ${{ env.TARFILE_NAME }}
+
+    outputs:
+      tags: ${{ steps.meta.outputs.tags }}
+      tarfile_artifact: ${{ env.TARFILE_NAME }}
+
+  trivy-scan:
+    needs: build
+    uses: "./.github/workflows/trivy.yml"
+    with:
+      NOTEBOOK_TYPE: ${{ inputs.NOTEBOOK_TYPE }}
+      SOURCE_TYPE: tar
+      IMAGE_NAME: ${{ needs.build.outputs.tags }}
+      TARFILE_NAME: ${{ needs.build.outputs.tarfile_artifact }}
+      EXIT_CODE: 1
+
+  push-image:
+    needs: [build, trivy-scan]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Download tar file
+        id: tar-download
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.TARFILE_NAME }}
+          path: /tmp
+
+      - name: Load Docker image from tar
+        run: cat
+          ${{ steps.tar-download.outputs.download-path}}/${{ env.TARFILE_NAME}}
+          | docker import - ${{ needs.build.outputs.tags }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Docker image
+        run: docker push ${{ needs.build.outputs.tags }}
 ...

.github/workflows/main.yml

@@ -22,10 +22,11 @@ jobs:
         uses: pre-commit/[email protected]
 
       - name: Build Docker Image
-        uses: docker/build-push-action@v3.2.0
+        uses: docker/build-push-action@v6.4.0
         with:
           context: .
           build-args: notebook_type=jupyter
+          push: false
 
       - name: Install dependencies
         run: pip install -r requirements.txt -r requirements-dev.txt

.github/workflows/trivy.yml

@@ -0,0 +1,87 @@
+---
+#
+# This workflow runs Trivy on a Docker image
+# It can pull the image from a container registry
+# or download a tar file.  The latter is used
+# to check a container image prior to publishing
+# to the registry.
+
+name: Run Trivy on a Docker image and push results to GitHub
+
+on:
+  workflow_call:
+    inputs:
+      NOTEBOOK_TYPE:
+        required: true
+        type: string
+      SOURCE_TYPE: # 'tar' or 'image'
+        required: true
+        type: string
+      TARFILE_NAME: # only used if SOURCE_TYPE=='tar'
+        required: false
+        type: string
+      IMAGE_NAME:
+        required: true
+        type: string
+      EXIT_CODE:
+        required: false
+        type: number
+
+env:
+  sarif_file_name: trivy-results-${{ inputs.NOTEBOOK_TYPE  }}.sarif
+
+jobs:
+  trivy:
+    name: Trivy-${{ inputs.NOTEBOOK_TYPE  }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download tar file
+        id: tar-download
+        uses: actions/download-artifact@v4
+        if: ${{ inputs.SOURCE_TYPE == 'tar' }}
+        with:
+          name: ${{ inputs.TARFILE_NAME }}
+          path: /tmp
+
+      - name: load docker image from tar file
+        if: ${{ inputs.SOURCE_TYPE == 'tar' }}
+        run: cat ${{ steps.tar-download.outputs.download-path
+          }}/${{ inputs.TARFILE_NAME
+          }} | docker import - ${{ inputs.IMAGE_NAME }}
+
+      - name: Run Trivy vulnerability scanner for any major issues
+        uses: aquasecurity/[email protected]
+        id: trivy
+        with:
+          image-ref: ${{ inputs.IMAGE_NAME }}
+          ignore-unfixed: true # skip vul'ns for which there is no fix
+          # list files to skip, each with a justification
+          skip-files: |
+            /etc/ssl/private/ssl-cert-snakeoil.key
+          # ssl-cert-snakeoil.key is req'd by the ssl package.
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          # only output findings for configured severities
+          limit-severities-for-sarif: true
+          output: ${{ env.sarif_file_name  }}
+          exit-code: ${{ inputs.EXIT_CODE }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/[email protected]
+        # This is the recommended way to upload scan results
+        # after Trivy exits with HIGH/CRITICAL findings
+        # See https://github.com/aquasecurity/trivy-action?\
+        # tab=readme-ov-file#using-trivy-with-github-code-scanning
+        if: ${{ success() || steps.trivy.conclusion=='failure' }}
+        with:
+          sarif_file: ${{ env.sarif_file_name  }}
+          category: ${{ inputs.NOTEBOOK_TYPE }}
+          wait-for-processing: true
+...

.github/workflows/trivy_periodic_image_scan.yml

@@ -0,0 +1,29 @@
+---
+#
+# This workflow scans the published container images
+# for new vulnerabilities daily, publishing findings.
+# Findings will be associated with the 'main' branch
+# of the repo' in the GitHub Security tab.
+#
+name: Trivy Periodic Image Scan
+
+on:
+  schedule:
+    # run daily
+    - cron: "0 0 * * *"
+
+jobs:
+  trivy-matrix:
+    name: ${{ matrix.notebook_type }}
+    strategy:
+      matrix:
+        notebook_type:
+          - jupyter
+          - rstudio
+    uses: "./.github/workflows/trivy.yml"
+    with:
+      NOTEBOOK_TYPE: ${{ matrix.notebook_type }}
+      SOURCE_TYPE: image
+      IMAGE_NAME: ghcr.io/${{ github.repository
+        }}-${{ matrix.notebook_type }}:main
+...

.trivyignore

@@ -0,0 +1,12 @@
+#
+# List vulnerabilities flagged by Trivy but for which
+# the affected code is not used or the risk is acceptable.
+# Enter the ID of the vulnerability along with the
+# justification as comment, for example:
+#
+# # Accept the risk
+# CVE-2018-14618
+#
+# More here:
+# https://aquasecurity.github.io/trivy/v0.22.0/vulnerability/examples/filter/
+#

README.md

@@ -103,3 +103,20 @@ docker run -d --name ${NOTEBOOK_CONTAINER_NAME} \
 ${DOCKER_IMAGE}
 
 ```
+
+
+## Security
+
+Trivy is run on each built container and they will not be published
+to `ghcr.io` if any CRITICAL or HIGH
+vulnerabilites are found.  Trivy is also run daily to check for new
+vulnerabilities in existing images.  So periodic review of new findings
+is needed:  Go to the Security tab in GitHub, select Code Scanning at left,
+and then select Branch > Main to check for new findings.  To suppress
+false positives, either:
+
+- Enter the CVE in `.trivyignore`, or
+
+- Enter the file to skip while scanning in the `trivy.yml` workflow.
+
+In either case, add a comment justifying why the finding is suppressd.