Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not supporting multi arch build images #101

Open
tnh opened this issue Oct 6, 2024 · 6 comments
Open

Not supporting multi arch build images #101

tnh opened this issue Oct 6, 2024 · 6 comments
Assignees
@bluesentinelsec
Labels
enhancement New feature or request Work in progress

Comments

@tnh
Copy link

tnh commented Oct 6, 2024
edited
Loading

Description

it doesnt appear that you support multiarch builds within ECR

Expected Behavior

You should

Actual Behavour

ECR is returning unauthorised.

Steps to Reproduce

This github action pipeline:

name: Build, Push to ECR, and Deploy to ECS

on:
  workflow_call:
    inputs:
      domain-name:
        required: true
        type: string
permissions:
      id-token: write   # This is required for requesting the JWT
      contents: read    # This is required for actions/checkout

env:
  AWS_REGION: ap-southeast-2  # Change this to your AWS region
  ECR_REPOSITORY: my-ecr-repo  # Change this to your ECR repository name
  ECS_CLUSTER: ecs-cluster  # Change this to your ECS cluster name
  ECS_SERVICE: ecs-service  # Change this to your ECS service name
  CONTAINER_NAME: ecs
  CRITICAL_THRESHOLD: 6
  HIGH_THRESHOLD: 8
  MEDIUM_THRESHOLD: 9
  LOW_THRESHOLD: 10
  OTHER_THRESHOLD: 20


jobs:
  deploy:
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      # checkout the repository containing our Dockerfile
      - name: Checkout this repository
        uses: actions/checkout@v4

      # Setup prerequisites for docker/build-push-action
      - name: Set up docker build prereqs (QEMU)
        uses: docker/setup-qemu-action@v3

      - name: Set up docker build prereqs (Buildx)
        uses: docker/setup-buildx-action@v3
      
      - name: Cache Docker layers
        uses: actions/cache@v4
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.OICD_ROLE }}
          role-session-name: gh-${{ github.repository_id}}-${{ github.sha }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Rolechain into deployment role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.DEPLOY_ROLE }}
          role-session-name: gh-d-${{ github.repository_id}}-${{ github.sha }}
          aws-region: ${{ env.AWS_REGION }}  
          role-chaining: true      

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      # build the image you wish to scan
      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          build-args: |
            GIT_SHA=${{ github.sha }}
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}
          platforms: linux/amd64,linux/arm64
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Scan built image with Inspector
        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
        id: inspector
        with:
          artifact_type: 'container'
          artifact_path: '${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}'
          critical_threshold: ${{ env.CRITICAL_THRESHOLD }}
          high_threshold: ${{ env.HIGH_THRESHOLD }}
          medium_threshold: ${{ env.MEDIUM_THRESHOLD }}
          low_threshold: ${{ env.LOW_THRESHOLD }}
          other_threshold: ${{ env.OTHER_THRESHOLD }}

The build output is:

Run aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
/usr/bin/docker run --name ba3aa5675718851b04fbc868d1b775616f669_1ebd3d --label 1ba3aa --workdir /github/workspace --rm -e "AWS_REGION" -e "ECR_REPOSITORY" -e "ECS_CLUSTER" -e "ECS_SERVICE" -e "CONTAINER_NAME" -e "CRITICAL_THRESHOLD" -e "HIGH_THRESHOLD" -e "MEDIUM_THRESHOLD" -e "LOW_THRESHOLD" -e "OTHER_THRESHOLD" -e "AWS_DEFAULT_REGION" -e "AWS_ACCESS_KEY_ID" -e "AWS_SECRET_ACCESS_KEY" -e "AWS_SESSION_TOKEN" -e "INPUT_ARTIFACT_TYPE" -e "INPUT_ARTIFACT_PATH" -e "INPUT_CRITICAL_THRESHOLD" -e "INPUT_HIGH_THRESHOLD" -e "INPUT_MEDIUM_THRESHOLD" -e "INPUT_LOW_THRESHOLD" -e "INPUT_OTHER_THRESHOLD" -e "INPUT_DISPLAY_VULNERABILITY_FINDINGS" -e "INPUT_OUTPUT_SBOM_PATH" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH_CSV" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH_MARKDOWN" -e "INPUT_OUTPUT_INSPECTOR_DOCKERFILE_SCAN_PATH_CSV" -e "INPUT_OUTPUT_INSPECTOR_DOCKERFILE_SCAN_PATH_MARKDOWN" -e "INPUT_SBOMGEN_VERSION" -e "INPUT_SCANNERS" -e "INPUT_SKIP_SCANNERS" -e "INPUT_SKIP_FILES" -e "INPUT_TIMEOUT" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/example-ecs-fargate-pipeline/example-ecs-fargate-pipeline":"/github/workspace" 1ba3aa:5675718851b04fbc868d1b775616f669  "--artifact-type=container" "--artifact-path=xxx.dkr.ecr.ap-southeast-2.amazonaws.com/my-ecr-repo:e4ec5a89a346c47eb8f81af9a4109e0d7e436521" "--display-vuln-findings=disabled" "--out-sbom=./sbom_11199528445.json" "--out-scan=inspector_scan_11199528445.json" "--out-scan-csv=inspector_scan_11199528445.csv" "--out-scan-markdown=inspector_scan_11199528445.md" "--out-dockerfile-scan-csv=inspector_dockerfile_scan_11199528445.csv" "--out-dockerfile-scan-md=inspector_dockerfile_scan_11199528445.md" "--sbomgen-version=latest" "--thresholds" "--critical=6" "--high=8" "--medium=9" "--low=10" "--other=20" "--scanners=''" "--skip-scanners=''" "--skip-files=''" "--timeout=600"
time="2024-10-06 06:21:29" level=info msg="downloading and installing inspector-sbomgen version latest" file="orchestrator.py:14"
time="2024-10-06 06:21:30" level=info msg="generating SBOM from artifact" file="orchestrator.py:18"
time="2024-10-06 06:21:30" level=info msg="Amazon Inspector SBOM Generator v1.5.0 - linux amd64 - Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved" file="cli.go:157:"
time="2024-10-06 06:21:30" level=info msg="[/usr/local/bin/inspector-sbomgen container --image xxx.dkr.ecr.ap-southeast-2.amazonaws.com/my-ecr-repo:e4ec5a89a346c47eb8f81af9a4109e0d7e436521 --outfile ./sbom_11199528445.json --disable-progress-bar --timeout 600]" file="cli.go:158:"
time="2024-10-06 06:21:30" level=info msg="writing log file to: /github/home/.inspector-sbomgen/logs/inspector-sbomgen-log_2024-10-06_06-21-30.txt" file="cli.go:159:"
time="2024-10-06 06:21:30" level=info msg="initializing target artifact" file="coreV1.go:77:"
time="2024-10-06 06:21:30" level=info msg="created temporary staging directory: /github/home/.inspector-sbomgen/artifact-cache17119907[37](https://github.com/bjss/example-ecs-fargate-pipeline/actions/runs/11199528445/job/31132001285#step:12:38)" file="stagingdir.go:62:"
time="2024-10-06 06:21:30" level=info msg="checking if image is a tarball" file="imageInit.go:28:"
time="2024-10-06 06:21:30" level=info msg="checking if image exists in the local Docker daemon" file="imageInit.go:37:"
time="2024-10-06 06:21:30" level=info msg="checking if image can be downloaded from a remote registry" file="imageInit.go:46:"
time="2024-10-06 06:21:30" level=info msg="downloading remote container image: xxxx.dkr.ecr.ap-southeast-2.amazonaws.com/my-ecr-repo:e4ec5a89a346c47eb8f81af9a4109e0d7e436521" file="imageInit.go:191:"
time="2024-10-06 06:21:31" level=info msg="cleaning up any file system artifacts" file="artifactContainer.go:202:"
time="2024-10-06 06:21:31" level=info msg="deleting staging directory; please wait" file="stagingdir.go:113:"
time="2024-10-06 06:21:31" level=info msg="deleted staging directory: /github/home/.inspector-sbomgen/artifact-cache1711990737" file="stagingdir.go:122:"
2024/10/06 06:21:31 [ImageDownloadFailed]: failed to load image from tarball, local, or remote sources: GET https://xxx.dkr.ecr.ap-southeast-2.amazonaws.com/v2/my-ecr-repo/manifests/e4ec5a89a346c47eb8f81af9a4109e0d7e436521: unexpected status code 401 Unauthorized: Not Authorized
time="2024-10-06 06:21:31" level=error msg="unable to generate SBOM with inspector-sbomgen" file="orchestrator.py:442"

Other Information

Please provide any additional information such as logs or screenshots.

I see the e4ec5a89a346c47eb8f81af9a4109e0d7e436521 in my ecr:

Screenshot 2024-10-06 at 5 31 48 PM
@tnh
Copy link
Author

tnh commented Oct 6, 2024
edited
Loading

When just doing this build action:

      # build the image you wish to scan
      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          build-args: |
            GIT_SHA=${{ github.sha }}
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}

          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

(eg without any Platform) the scan works. Given I see the image in ECR, it seems to suggest that the problem is not understanding that it is a multi-arch image?

@tnh
Copy link
Author

tnh commented Oct 6, 2024
edited
Loading

So I think the bug is somewhere within imageInit.go.

@bluesentinelsec bluesentinelsec self-assigned this Oct 7, 2024
@bluesentinelsec
Copy link
Contributor

Hello, thank you for submitting the issue.
I understand you are having difficulty scanning a multi-arch image.
Multi-arch images are unsupported by this action at this time.

I am presently researching this to determine the level of effort involved in supporting the feature.
Additionally, I am exploring possible work-arounds for your consideration.

I will report back with additional guidance after I've validated work-arounds.

@tnh
Copy link
Author

tnh commented Oct 8, 2024
edited
Loading

I'd imagine the only viable workaround would be to do this via some tagging standard. Eg
${ECR}:/${Some identifier}-${architecture}

      # build the image you wish to scan
      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          build-args: |
            GIT_SHA=${{ github.sha }}
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}-arm64
          load: true
          platforms: linux/amd64
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          
          ...

@bluesentinelsec
Copy link
Contributor

@tnh Hi there, I wanted to let you know that I was out most of last week with pneumonia - thank you for your continued patience. I'm resuming work on this feature again.

Now, I'm presently working on a PoC for supporting multi-arch images.

That said, I am interested in feedback for this use case if you have any to share.
May I ask, how would you like to scan multi-arch images with this action or in general?
Is it sufficient to add a new field that lets the user specify the image arch to scan?
Something like this:

platform: "linux/amd64"

@bluesentinelsec bluesentinelsec added enhancement New feature or request Work in progress and removed triage labels Oct 22, 2024
@bluesentinelsec bluesentinelsec mentioned this issue Oct 22, 2024
Open
@bluesentinelsec
Copy link
Contributor

Update: we have a pull request in progress that allows users to specify the container image platform they wish to scan:

#102

We are planning on shipping this with our next release, ETA early November.

Feel free to let us know if you have questions or feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bluesentinelsec bluesentinelsec

Labels
enhancement New feature or request Work in progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tnh @bluesentinelsec