Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate Docker Scout as part of security tests. #11324

Merged
merged 4 commits into from
Jan 3, 2025
Merged

Integrate Docker Scout as part of security tests. #11324

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0e2899e
add docker scout to security tests
zainasir Jan 3, 2025
5128f9c
check for docker image
zainasir Jan 3, 2025
3aabb4a
install docker scout
zainasir Jan 3, 2025
cd40cf2
Improve logs
zainasir Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 58 additions & 1 deletion .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,57 @@ jobs:
- store_artifacts:
path: /tmp/repos/docker-compose-logs.txt

run_security_tests:
machine:
image: ubuntu-2204:2024.08.1
docker_layer_caching: true
resource_class: medium
environment:
BASE_REPO: cbioportal/cbioportal
DEV_REPO: cbioportal/cbioportal-dev
steps:
- run:
name: Install Docker Scout
command: |
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /home/circleci/bin
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know if there is a docker scout container with a specific version? Have had a couple times where dependencies changed and broke things so prefer hardcoded version numbers whenever possible

- run:
name: Log in to Docker
command: |
echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin;
- run:
name: Wait for cbioportal docker images
command: |
URL="https://hub.docker.com/v2/repositories/$DEV_REPO/tags/$CIRCLE_SHA1-web-shenandoah"
while true; do
TAG_FOUND=$(curl -s $URL | jq -r .name)
if [ $TAG_FOUND = "$CIRCLE_SHA1-web-shenandoah" ]; then
echo "Image found!"
exit 0
fi
echo "Image not found yet. Waiting for API Tests to finish building. Retrying in 30 seconds..."
sleep 30
done
- run:
name: Run Docker Scout vulnerability test
command: |
BASE_IMAGE=$BASE_REPO:master-web-shenandoah
PR_IMAGE=$DEV_REPO:$CIRCLE_SHA1-web-shenandoah
OUTPUT_FORMAT='{severity: .cvss.severity, source_id: .source_id, vulnerable_range: .vulnerable_range, fixed_by: .fixed_by, url: .url, description: .description}'
SORT='sort_by(.severity | if . == "CRITICAL" then 0 elif . == "HIGH" then 1 elif . == "MEDIUM" then 2 elif . == "LOW" then 3 else 4 end)'
docker pull $BASE_IMAGE
docker pull $PR_IMAGE
docker-scout cves $BASE_IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > base_report.sbom
docker-scout cves $PR_IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > pr_report.sbom
DIFF=$(jq -s 'map(map(.source_id)) | .[0] - .[1]' pr_report.sbom base_report.sbom)
COUNT=$(echo $DIFF | jq 'length')
if [ "$COUNT" -gt 0 ]; then
printf "New vulnerabilities found: $COUNT\n"
jq '.[] | select(.source_id as $a | '"$DIFF"' | index($a))' pr_report.sbom
exit 1
else
echo "No new vulnerabilities found!"
exit 0
fi

workflows:
version: 2
Expand Down Expand Up @@ -384,4 +435,10 @@ workflows:
context:
- api-tests
requires:
- build_push_image
- build_push_image

security_tests:
jobs:
- run_security_tests:
context:
- docker-scout
Loading