-
Notifications
You must be signed in to change notification settings - Fork 363
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci(scan-docker-images): migrate to gha (#4546)
Deleting the CircleCI workflow that scans our Docker environment images for vulnerabilities weekly and replacing it with a (mostly) equivalent GHA workflow that uses a public GHA action published by anchore (the same organization that develops the CLI and Docker image we use to scan currently). Aside from generating the same reports with less required code to maintain on our part, this has two further advantages: - the SARIF report is uploaded to our repo, integrating vulnerability notifications into our repo's UI - our CircleCI pipeline now has just a little less content to manage
- Loading branch information
1 parent
495f409
commit 002d950
Showing
2 changed files
with
148 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| --- | ||
| name: "Scan Docker images" | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: "15 1 * * 0" | ||
|
|
||
| jobs: | ||
| list-images: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| images: ${{ steps.get-images.outputs.result }} | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - name: Parse image list | ||
| id: get-images | ||
| uses: mikefarah/yq@master | ||
| with: | ||
| cmd: yq -o=json '[with_entries(select(.key | test("_hashed$"))).[].new]' tools/scripts/bumpenvs.yaml | ||
| scan-images: | ||
| needs: list-images | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| image: ${{ fromJSON(needs.list-images.outputs.images) }} | ||
| steps: | ||
| - name: Free up some space | ||
| if: contains(matrix.image, 'cuda-11') || contains(matrix.image, 'rocm') | ||
| uses: jlumbroso/free-disk-space@main | ||
| with: | ||
| tool-cache: true | ||
| - name: Scan ${{ matrix.image }} | ||
| id: scan | ||
| continue-on-error: true | ||
| uses: anchore/scan-action@v3 | ||
| with: | ||
| image: ${{ matrix.image }} | ||
| acs-report-enable: true | ||
| fail-build: true | ||
| severity-cutoff: high | ||
| - name: Print SARIF report for ${{ matrix.image }} | ||
| run: cat ${{ steps.scan.outputs.sarif }} | ||
| - name: Upload SARIF report for ${{ matrix.image }} | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| with: | ||
| sarif_file: ${{ steps.scan.outputs.sarif }} | ||
| - name: Fail job if scan failed | ||
| if: steps.scan.outcome == 'failure' | ||
| run: exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| --- | ||
| ignore: | ||
| # These vulnerabilities are disputed or awaiting analysis by the NumPy, Scikit-learn, or Python communities | ||
| - vulnerability: CVE-2020-13092 | ||
| - vulnerability: CVE-2021-41495 | ||
| - vulnerability: CVE-2021-41496 | ||
| - vulnerability: CVE-2015-20107 | ||
|
|
||
| # These vulnerabilities pertain to the Docker engine (or proprietary distributions), but only the Python client is included in the images | ||
| - vulnerability: CVE-2017-7297 | ||
| - vulnerability: CVE-2019-13139 | ||
| - vulnerability: CVE-2019-13509 | ||
| - vulnerability: CVE-2019-16884 | ||
| - vulnerability: CVE-2019-5736 | ||
|
|
||
| # This vulnerability is fixed in JupyterLab 3.2.0, but was still flagged after we moved to that version | ||
| - vulnerability: CVE-2021-32797 | ||
|
|
||
| # These vulnerabilities are fixed in newer versions of TensorFlow, but not in 1.15 which is out of maintenance and no longer our default | ||
| - vulnerability: GHSA-2r8p-fg3c-wcj4 | ||
| - vulnerability: GHSA-4xfp-4pfp-89wg | ||
| - vulnerability: GHSA-5xwc-mrhx-5g3m | ||
| - vulnerability: GHSA-6gv8-p3vj-pxvr | ||
| - vulnerability: GHSA-6p5r-g9mq-ggh2 | ||
| - vulnerability: GHSA-7fvx-3jfc-2cpc | ||
| - vulnerability: GHSA-8pmx-p244-g88h | ||
| - vulnerability: GHSA-9c8h-vvrj-w2p8 | ||
| - vulnerability: GHSA-c5x2-p679-95wc | ||
| - vulnerability: GHSA-c9qf-r67m-p7cg | ||
| - vulnerability: GHSA-cgfm-62j4-v4rf | ||
| - vulnerability: GHSA-cwv3-863g-39vx | ||
| - vulnerability: GHSA-f5cx-5wr3-5qrc | ||
| - vulnerability: GHSA-f8h4-7rgh-q2gm | ||
| - vulnerability: GHSA-fcwc-p4fc-c5cc | ||
| - vulnerability: GHSA-g25h-jr74-qp5j | ||
| - vulnerability: GHSA-g8wg-cjwc-xhhp | ||
| - vulnerability: GHSA-gh6x-4whr-2qv4 | ||
| - vulnerability: GHSA-h4pc-gx2w-f2xv | ||
| - vulnerability: GHSA-hpv4-7p9c-mvfr | ||
| - vulnerability: GHSA-hwr7-8gxx-fj5p | ||
| - vulnerability: GHSA-jf7h-7m85-w2v2 | ||
| - vulnerability: GHSA-m7fm-4jfh-jrg6 | ||
| - vulnerability: GHSA-q3g3-h9r4-prrc | ||
| - vulnerability: GHSA-qr82-2c78-4m8h | ||
| - vulnerability: GHSA-r4c4-5fpq-56wg | ||
| - vulnerability: GHSA-r6jx-9g48-2r5r | ||
| - vulnerability: GHSA-v768-w7m9-2vmm | ||
| - vulnerability: GHSA-v82p-hv3v-p6qp | ||
| - vulnerability: GHSA-w4xf-2pqw-5mq7 | ||
| - vulnerability: GHSA-w74j-v8xh-3w5h | ||
| - vulnerability: GHSA-wp77-4gmm-7cq8 | ||
| - vulnerability: GHSA-374m-jm66-3vj8 | ||
| - vulnerability: GHSA-3rcw-9p9x-582v | ||
| - vulnerability: GHSA-49rx-x2rw-pc6f | ||
| - vulnerability: GHSA-4f99-p9c2-3j8x | ||
| - vulnerability: GHSA-57wx-m983-2f88 | ||
| - vulnerability: GHSA-7pxj-m4jf-r6h2 | ||
| - vulnerability: GHSA-cqv6-3phm-hcwx | ||
| - vulnerability: GHSA-f54p-f6jp-4rhr | ||
| - vulnerability: GHSA-fr77-rrx3-cp7g | ||
| - vulnerability: GHSA-j86v-p27c-73fm | ||
| - vulnerability: GHSA-m342-ff57-4jcc | ||
| - vulnerability: GHSA-pgcq-h79j-2f69 | ||
| - vulnerability: GHSA-rg3m-hqc5-344v | ||
| - vulnerability: GHSA-vwhq-49r4-gj9v | ||
|
|
||
| # These vulnerabilities are fixed in newer versions of TensorFlow, but not in 2.4 which is out of maintenance and no longer our default | ||
| - vulnerability: GHSA-8jj7-5vxc-pg2q | ||
| - vulnerability: GHSA-98p5-x8x4-c9m5 | ||
| - vulnerability: GHSA-9c78-vcq7-7vxq | ||
| - vulnerability: GHSA-9gwq-6cwj-47h3 | ||
| - vulnerability: GHSA-c6fh-56w7-fvjw | ||
| - vulnerability: GHSA-h6gw-r52c-724r | ||
| - vulnerability: GHSA-pfjj-m3jj-9jc9 | ||
| - vulnerability: GHSA-q85f-69q7-55h2 | ||
| - vulnerability: GHSA-qx3f-p745-w4hr | ||
| - vulnerability: GHSA-vjg4-v33c-ggc4 | ||
| - vulnerability: GHSA-wc4g-r73w-x8mm | ||
| - vulnerability: GHSA-23hm-7w47-xw72 | ||
| - vulnerability: GHSA-247x-2f9f-5wp7 | ||
| - vulnerability: GHSA-24x4-6qmh-88qg | ||
| - vulnerability: GHSA-43q8-3fv7-pr5x | ||
| - vulnerability: GHSA-44qp-9wwf-734r | ||
| - vulnerability: GHSA-4hvf-hxvg-f67v | ||
| - vulnerability: GHSA-5qw5-89mw-wcg2 | ||
| - vulnerability: GHSA-6gmv-pjp9-p8w8 | ||
| - vulnerability: GHSA-77gp-3h4r-6428 | ||
|
|
||
| # These vulnerabilities are found in ROCm-specific tools and will not be addressed at this time | ||
| - vulnerability: GHSA-47wv-vhj2-g66m | ||
| - vulnerability: GHSA-8c5j-9r9f-c6w8 | ||
| - vulnerability: GHSA-53qw-q765-4fww | ||
| - vulnerability: GHSA-v6rh-hp5x-86rv | ||
| - vulnerability: GHSA-8vj2-vxx3-667w | ||
| - vulnerability: GHSA-9j59-75qj-795w | ||
| - vulnerability: GHSA-pw3c-h7wp-cvhx | ||
| - vulnerability: GHSA-p5w8-wqhj-9hhf | ||
| - vulnerability: GHSA-p737-p57g-4cpr |