diff --git a/.github/workflows/azdevops-agent-pr.yml b/.github/workflows/azdevops-agent-pr.yml index b0e2f7c5..cd67d00e 100644 --- a/.github/workflows/azdevops-agent-pr.yml +++ b/.github/workflows/azdevops-agent-pr.yml @@ -35,7 +35,20 @@ jobs: with: context: ./infrastructure/images/azure-devops-agent push: false + load: true platforms: linux/amd64 - tags: ${{ github.repository }}/azure-devops-agent:test + cache-from: type=gha + cache-to: type=gha,mode=max + tags: azure-devops-agent:test env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} + - name: Scan with trivy + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: azure-devops-agent:test + format: table + exit-code: 1 + ignore-unfixed: true + trivyignores: ./infrastructure/images/azure-devops-agent/.trivyignore + vuln-type: os,library + severity: HIGH,CRITICAL \ No newline at end of file diff --git a/.github/workflows/azdevops-agent-release.yml b/.github/workflows/azdevops-agent-release.yml index 6f427683..d63b5353 100644 --- a/.github/workflows/azdevops-agent-release.yml +++ b/.github/workflows/azdevops-agent-release.yml @@ -35,10 +35,35 @@ jobs: - name: Build and push id: docker_build uses: docker/build-push-action@v6 + with: + context: ./infrastructure/images/azure-devops-agent + push: false + load: true + platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max + tags: ghcr.io/${{ steps.vars.outputs.reponame }}/azure-devops-agent:v${{ steps.vars.outputs.version }} + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: ghcr.io/${{ steps.vars.outputs.reponame }}/azure-devops-agent:v${{ steps.vars.outputs.version }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + trivyignores: ./infrastructure/images/azure-devops-agent/.trivyignore + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Push + id: docker_push + uses: docker/build-push-action@v6 with: context: ./infrastructure/images/azure-devops-agent push: true platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max tags: ghcr.io/${{ steps.vars.outputs.reponame }}/azure-devops-agent:v${{ steps.vars.outputs.version }} env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} diff --git a/.github/workflows/gh-runner-pr.yml b/.github/workflows/gh-runner-pr.yml index 54854940..5327d564 100644 --- a/.github/workflows/gh-runner-pr.yml +++ b/.github/workflows/gh-runner-pr.yml @@ -41,7 +41,20 @@ jobs: with: context: ./infrastructure/images/gh-runner push: false - platforms: linux/amd64,linux/arm64 - tags: ${{ github.repository }}/gh-runner:test + load: true + platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max + tags: gh-runner:test env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} + - name: Scan with trivy + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: gh-runner:test + format: table + exit-code: 1 + ignore-unfixed: true + trivyignores: ./infrastructure/images/gh-runner/.trivyignore + vuln-type: os,library + severity: HIGH,CRITICAL \ No newline at end of file diff --git a/.github/workflows/gh-runner-release.yml b/.github/workflows/gh-runner-release.yml index 907096ec..f31d0814 100644 --- a/.github/workflows/gh-runner-release.yml +++ b/.github/workflows/gh-runner-release.yml @@ -35,10 +35,35 @@ jobs: - name: Build and push id: docker_build uses: docker/build-push-action@v6 + with: + context: ./infrastructure/images/gh-runner + push: false + load: true + platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max + tags: ghcr.io/${{ steps.vars.outputs.reponame }}/gh-runner:v${{ steps.vars.outputs.version }} + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: ghcr.io/${{ steps.vars.outputs.reponame }}/gh-runner:v${{ steps.vars.outputs.version }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + trivyignores: ./infrastructure/images/gh-runner/.trivyignore + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + - name: Push + id: docker_push + uses: docker/build-push-action@v6 with: context: ./infrastructure/images/gh-runner push: true platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max tags: ghcr.io/${{ steps.vars.outputs.reponame }}/gh-runner:v${{ steps.vars.outputs.version }} env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} diff --git a/.github/workflows/terraform-azdev-agent-pr.yml b/.github/workflows/terraform-azdev-agent-pr.yml index 2f420fee..e0ddceb2 100644 --- a/.github/workflows/terraform-azdev-agent-pr.yml +++ b/.github/workflows/terraform-azdev-agent-pr.yml @@ -33,6 +33,8 @@ jobs: load: true platforms: linux/amd64 tags: terraform-azure-devops-agent:test + cache-from: type=gha + cache-to: type=gha,mode=max env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} - name: Scan with trivy diff --git a/.github/workflows/terraform-azdev-agent-release.yml b/.github/workflows/terraform-azdev-agent-release.yml index 7085d7f3..1f94cefc 100644 --- a/.github/workflows/terraform-azdev-agent-release.yml +++ b/.github/workflows/terraform-azdev-agent-release.yml @@ -40,8 +40,8 @@ jobs: push: false load: true platforms: linux/amd64 - cache-from: gha - cache-to: gha + cache-from: type=gha + cache-to: type=gha,mode=max tags: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }} env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} @@ -62,8 +62,8 @@ jobs: context: ./infrastructure/images/terraform-azure-devops-agent push: true platforms: linux/amd64 - cache-from: gha - cache-to: gha + cache-from: type=gha + cache-to: type=gha,mode=max tags: ghcr.io/${{ steps.vars.outputs.reponame }}/terraform-azure-devops-agent:v${{ steps.vars.outputs.version }} env: SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} \ No newline at end of file diff --git a/infrastructure/images/azure-devops-agent/.trivyignore b/infrastructure/images/azure-devops-agent/.trivyignore new file mode 100644 index 00000000..e69de29b diff --git a/infrastructure/images/azure-devops-agent/README.md b/infrastructure/images/azure-devops-agent/README.md index 988cb5ec..d0665b11 100644 --- a/infrastructure/images/azure-devops-agent/README.md +++ b/infrastructure/images/azure-devops-agent/README.md @@ -7,6 +7,8 @@ The image is maintained by the platform team. The image is meant to be as small and lightweight as possible so we keep the dependencies at a minimum to reduce the maintenance cost. +## Extending + If any team needs a custom image they are free to roll their own or extend this, but they will be responsible for maintaining this image. Example Dockerfile for an image that in addition to what is available in the base image installs netcat: @@ -24,3 +26,20 @@ Example Dockerfile for an image that in addition to what is available in the bas +# Switch back to the runner user for security USER runner + +``` + +## Maintenance +Renovate is enabled on this repository and will automatically create a PR when there is a new version of the base image. + +### New trivy alerts +This image is set up with Trivy to scan for vulnerabilities. If any vulnerabilities are found, the workflow will fail. + +#### Managing Vulnerabilities +1. **False Positives**: If an alert is a false positive, add the CVE ID to `.trivyignore` +2. **Accepted Risks**: For known risks that have been assessed and accepted: + - Add the CVE ID to `.trivyignore` + - Add a comment above the CVE explaining: + - Why the risk is acceptable + - Any mitigating controls in place + - When the decision should be reviewed \ No newline at end of file diff --git a/infrastructure/images/gh-runner/.trivyignore b/infrastructure/images/gh-runner/.trivyignore new file mode 100644 index 00000000..38d5b4e7 --- /dev/null +++ b/infrastructure/images/gh-runner/.trivyignore @@ -0,0 +1,6 @@ +# Backages provided by Github through their runner image. Should be handled upstream. +CVE-2024-21538 +CVE-2024-45337 +CVE-2024-45338 +CVE-2024-45337 +CVE-2024-45338 diff --git a/infrastructure/images/gh-runner/Dockerfile b/infrastructure/images/gh-runner/Dockerfile index bdab3187..28805e95 100644 --- a/infrastructure/images/gh-runner/Dockerfile +++ b/infrastructure/images/gh-runner/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/actions/actions-runner:2.321.0 +FROM ghcr.io/actions/actions-runner:2.322.0 # for latest release, see https://github.com/actions/runner/releases USER root diff --git a/infrastructure/images/gh-runner/README.md b/infrastructure/images/gh-runner/README.md index be8dae39..8d0012fa 100644 --- a/infrastructure/images/gh-runner/README.md +++ b/infrastructure/images/gh-runner/README.md @@ -3,6 +3,8 @@ Default image used for Altinns self-hosted github runners. This image is maintained by the platform team. +## Extending + This image is ment to be as small and leightweight as possible so we keep the dependencies at a minum, to reduce the maintenance cost. If any team needs a custom image they are free to roll their own or extend this, but they will be responsible for maintaining this image. @@ -21,3 +23,17 @@ RUN apt-get update && apt-get install -y curl jq && \ USER runner ``` +## Maintenance +Renovate is enabled on this repository and will automatically create a PR when there is a new version of the base image. + +### New trivy alerts +This image is set up with Trivy to scan for vulnerabilities. If any vulnerabilities are found, the workflow will fail. + +#### Managing Vulnerabilities +1. **False Positives**: If an alert is a false positive, add the CVE ID to `.trivyignore` +2. **Accepted Risks**: For known risks that have been assessed and accepted: + - Add the CVE ID to `.trivyignore` + - Add a comment above the CVE explaining: + - Why the risk is acceptable + - Any mitigating controls in place + - When the decision should be reviewed \ No newline at end of file