vuln import on tag only

mchmarny · mchmarny · commit 60e7c4cc8d61 · 2023-03-10T05:47:59.000-08:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,4 +1,4 @@
-name: build_image
+name: build-image
 
 on:
   workflow_call:
diff --git a/.github/workflows/import.yaml b/.github/workflows/import.yaml
@@ -0,0 +1,65 @@
+name: import-vulnerabilities
+
+on:
+  workflow_call:
+    inputs:
+      image_digest:
+        description: 'Fully-qualified image uri (repo/image@digest)'
+        required: true
+        type: string
+      auth_provider:
+        description: 'OIDC provider ID'
+        required: true
+        type: string
+      auth_user:
+        description: 'OIDC user ID'
+        required: true
+        type: string
+      target_project:
+        description: 'Target project ID where vulnerability scan will be imported'
+        required: true
+        type: string
+      report_path:
+        description: 'Path to vulnerability scan report'
+        type: string
+        default: 'report.json'
+
+permissions:
+  contents: read
+
+jobs:
+  import:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+    steps:
+
+    - name: Checkout Code
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c  # v3.3.0
+
+    - id: auth
+      name: Auth GCP
+      uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d  # v1.0.0
+      with:
+        token_format: "access_token"
+        workload_identity_provider: ${{ inputs.auth_provider }}
+        service_account: ${{ inputs.auth_user }}
+
+    - id: scan
+      name: Vulnerability Scan
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ inputs.image_digest }}
+        scanners: vuln
+        format: json
+        output: ${{ inputs.report_path }}
+        timeout: 5m
+        hide-progress: true
+
+    - uses: mchmarny/vulctl@main
+      with:
+        project: ${{ inputs.target_project }}
+        digest: ${{ inputs.image_digest }}
+        file: ${{ inputs.report_path }}
+        format: trivy
diff --git a/.github/workflows/on-push-import.yaml b/.github/workflows/on-push-import.yaml
diff --git a/.github/workflows/on-tag-img.yaml b/.github/workflows/on-tag-img.yaml
@@ -15,6 +15,7 @@ jobs:
       PROVIDER_ID: projects/689738033528/locations/global/workloadIdentityPools/vulctl-github-pool/providers/github-provider
       REG_URI: us-west1-docker.pkg.dev/cloudy-build/vulctl
       SA_EMAIL: vulctl-github-actions-user@cloudy-build.iam.gserviceaccount.com
+      PROJECT_ID: cloudy-build
 
       # Defaults
       BUILDER_VERSION: v1.4.0
@@ -34,6 +35,7 @@ jobs:
       provider_id: ${{ steps.conf.outputs.provider_id }}
       registry_uri: ${{ steps.conf.outputs.registry_uri }}
       service_account: ${{ steps.conf.outputs.service_account }}
+      project_id: ${{ steps.conf.outputs.project_id }}
     steps:
 
     - name: Export Config
@@ -47,6 +49,7 @@ jobs:
         echo "provider_id=${{ env.PROVIDER_ID }}" >> $GITHUB_OUTPUT
         echo "registry_uri=${{ env.REG_URI }}" >> $GITHUB_OUTPUT
         echo "service_account=${{ env.SA_EMAIL }}" >> $GITHUB_OUTPUT
+        echo "project_id=${{ env.PROJECT_ID }}" >> $GITHUB_OUTPUT
 
   test:
     needs:
@@ -107,3 +110,18 @@ jobs:
       auth_provider: ${{ needs.conf.outputs.provider_id }}
       auth_user: ${{ needs.conf.outputs.service_account }}
       image_digest: ${{ needs.image.outputs.digest }}
+
+  import:
+    needs:
+    - conf
+    - image
+    permissions:
+      contents: read
+      actions: read
+      id-token: write
+    uses: ./.github/workflows/import.yaml
+    with:
+      auth_provider: ${{ needs.conf.outputs.provider_id }}
+      auth_user: ${{ needs.conf.outputs.service_account }}
+      image_digest: ${{ needs.image.outputs.digest }}
+      target_project: ${{ needs.conf.outputs.project_id }}
diff --git a/.github/workflows/sign.yaml b/.github/workflows/sign.yaml
@@ -1,4 +1,4 @@
-name: sign_image
+name: sign-image
 
 on:
   workflow_call:
diff --git a/.github/workflows/slsa.yaml b/.github/workflows/slsa.yaml
@@ -1,4 +1,4 @@
-name: slsa_provenance_create
+name: slsa-provenance-create
 
 on:
   workflow_call:
diff --git a/.version b/.version
@@ -1 +1 @@
-v0.2.9
+v0.2.10
diff --git a/examples/github-actions/README.md b/examples/github-actions/README.md
@@ -15,13 +15,17 @@ none
 
 ## usage
 
+Below example, shows how to import vulnerabilities from previously generated report.
+
+> Make sure to use the latest tag release (e.g. `v0.2.10`)
+
 ```yaml
-uses: actions/vulctl@main
+uses: mchmarny/vulctl@v0.2.10
 with:
-  project: cloudy-demo
-  digest: ${{ env.IMAGE_DIGEST }}
-  file: report.json
-  format: snyk
+  project: ${{ env.PROJECT_ID }}
+  digest: ${{ steps.build.outputs.digest }}
+  file: ${{ steps.scan.outputs.output }}
+  format: ${{ steps.scan.outputs.format }}
 ```
 
-> Fully working example can be found in [.github/workflows/on-push-import.yaml](../../.github/workflows/on-push-import.yaml).
+> Fully working example can be found in [.github/workflows/import.yaml](../../.github/workflows/import.yaml).

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-name: build_image`
	`1`	`+name: build-image`
`2`	`2`
`3`	`3`	`on:`
`4`	`4`	`workflow_call:`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-name: sign_image`
	`1`	`+name: sign-image`
`2`	`2`
`3`	`3`	`on:`
`4`	`4`	`workflow_call:`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-name: slsa_provenance_create`
	`1`	`+name: slsa-provenance-create`
`2`	`2`
`3`	`3`	`on:`
`4`	`4`	`workflow_call:`