feat: cache and vulnerabilityscanning setup for container image workf…

…lows (#1276)

* fix cache setup for terraform azdev image workflows

* add cache and vuln scanner to other image pipelines

* update reames and ghrunner base image

* ignore vulns from upstream image

* add trivyignores

---------

Co-authored-by: tjololo <1145298+tjololo@users.noreply.github.com>

.github/workflows/azdevops-agent-pr.yml

@@ -35,7 +35,20 @@ jobs:
         with:
           context: ./infrastructure/images/azure-devops-agent
           push: false
+          load: true
           platforms: linux/amd64
-          tags: ${{ github.repository }}/azure-devops-agent:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: azure-devops-agent:test
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+      - name: Scan with trivy
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: azure-devops-agent:test
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          trivyignores: ./infrastructure/images/azure-devops-agent/.trivyignore
+          vuln-type: os,library
+          severity: HIGH,CRITICAL

.github/workflows/azdevops-agent-release.yml

@@ -35,10 +35,35 @@ jobs:
       - name: Build and push
         id: docker_build
         uses: docker/build-push-action@v6
+        with:
+          context: ./infrastructure/images/azure-devops-agent
+          push: false
+          load: true
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ghcr.io/${{ steps.vars.outputs.reponame }}/azure-devops-agent:v${{ steps.vars.outputs.version }}
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ghcr.io/${{ steps.vars.outputs.reponame }}/azure-devops-agent:v${{ steps.vars.outputs.version }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          trivyignores: ./infrastructure/images/azure-devops-agent/.trivyignore
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Push
+        id: docker_push
+        uses: docker/build-push-action@v6
         with:
           context: ./infrastructure/images/azure-devops-agent
           push: true
           platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: ghcr.io/${{ steps.vars.outputs.reponame }}/azure-devops-agent:v${{ steps.vars.outputs.version }}
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}

.github/workflows/gh-runner-pr.yml

@@ -41,7 +41,20 @@ jobs:
         with:
           context: ./infrastructure/images/gh-runner
           push: false
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ github.repository }}/gh-runner:test
+          load: true
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: gh-runner:test
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+      - name: Scan with trivy
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: gh-runner:test
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          trivyignores: ./infrastructure/images/gh-runner/.trivyignore
+          vuln-type: os,library
+          severity: HIGH,CRITICAL

.github/workflows/gh-runner-release.yml

@@ -35,10 +35,35 @@ jobs:
       - name: Build and push
         id: docker_build
         uses: docker/build-push-action@v6
+        with:
+          context: ./infrastructure/images/gh-runner
+          push: false
+          load: true
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ghcr.io/${{ steps.vars.outputs.reponame }}/gh-runner:v${{ steps.vars.outputs.version }}
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ghcr.io/${{ steps.vars.outputs.reponame }}/gh-runner:v${{ steps.vars.outputs.version }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          trivyignores: ./infrastructure/images/gh-runner/.trivyignore
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Push
+        id: docker_push
+        uses: docker/build-push-action@v6
         with:
           context: ./infrastructure/images/gh-runner
           push: true
           platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: ghcr.io/${{ steps.vars.outputs.reponame }}/gh-runner:v${{ steps.vars.outputs.version }}
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}

.github/workflows/terraform-azdev-agent-pr.yml

@@ -33,6 +33,8 @@ jobs:
           load: true
           platforms: linux/amd64
           tags: terraform-azure-devops-agent:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
       - name: Scan with trivy

.github/workflows/terraform-azdev-agent-release.yml

@@ -40,8 +40,8 @@ jobs:
           push: false
           load: true
           platforms: linux/amd64
-          cache-from: gha
-          cache-to: gha
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }}
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
@@ -62,8 +62,8 @@ jobs:
           context: ./infrastructure/images/terraform-azure-devops-agent
           push: true
           platforms: linux/amd64
-          cache-from: gha
-          cache-to: gha
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }}
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}

infrastructure/images/azure-devops-agent/README.md

@@ -7,6 +7,8 @@ The image is maintained by the platform team.
 
 The image is meant to be as small and lightweight as possible so we keep the dependencies at a minimum to reduce the maintenance cost.
 
+## Extending
+
 If any team needs a custom image they are free to roll their own or extend this, but they will be responsible for maintaining this image.
 
 Example Dockerfile for an image that in addition to what is available in the base image installs netcat:
@@ -24,3 +26,20 @@ Example Dockerfile for an image that in addition to what is available in the bas
 
 +# Switch back to the runner user for security
  USER runner
+
+```
+
+## Maintenance
+Renovate is enabled on this repository and will automatically create a PR when there is a new version of the base image.
+
+### New trivy alerts
+This image is set up with Trivy to scan for vulnerabilities. If any vulnerabilities are found, the workflow will fail.
+
+#### Managing Vulnerabilities
+1. **False Positives**: If an alert is a false positive, add the CVE ID to `.trivyignore`
+2. **Accepted Risks**: For known risks that have been assessed and accepted:
+   - Add the CVE ID to `.trivyignore`
+   - Add a comment above the CVE explaining:
+     - Why the risk is acceptable
+     - Any mitigating controls in place
+     - When the decision should be reviewed

infrastructure/images/gh-runner/.trivyignore

@@ -0,0 +1,6 @@
+# Backages provided by Github through their runner image. Should be handled upstream.
+CVE-2024-21538
+CVE-2024-45337
+CVE-2024-45338
+CVE-2024-45337
+CVE-2024-45338

infrastructure/images/gh-runner/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/actions/actions-runner:2.321.0
+FROM ghcr.io/actions/actions-runner:2.322.0
 # for latest release, see https://github.com/actions/runner/releases
 
 USER root

infrastructure/images/gh-runner/README.md

@@ -3,6 +3,8 @@ Default image used for Altinns self-hosted github runners.
 
 This image is maintained by the platform team.
 
+## Extending
+
 This image is ment to be as small and leightweight as possible so we keep the dependencies at a minum, to reduce the maintenance cost.
 
 If any team needs a custom image they are free to roll their own or extend this, but they will be responsible for maintaining this image.
@@ -21,3 +23,17 @@ RUN apt-get update && apt-get install -y curl jq && \
 USER runner
 ```
 
+## Maintenance
+Renovate is enabled on this repository and will automatically create a PR when there is a new version of the base image.
+
+### New trivy alerts
+This image is set up with Trivy to scan for vulnerabilities. If any vulnerabilities are found, the workflow will fail.
+
+#### Managing Vulnerabilities
+1. **False Positives**: If an alert is a false positive, add the CVE ID to `.trivyignore`
+2. **Accepted Risks**: For known risks that have been assessed and accepted:
+   - Add the CVE ID to `.trivyignore`
+   - Add a comment above the CVE explaining:
+     - Why the risk is acceptable
+     - Any mitigating controls in place
+     - When the decision should be reviewed