:octocat: GitHub Action for Copacetic: Directly patch container image vulnerabilities
Home Page: https://project-copacetic.github.io/copacetic/website/
License: MIT License
Add trivy ignore list like copa: https://github.com/project-copacetic/copacetic/blob/main/integration/fixtures/trivy_ignore.rego
The action raises an error in the event that Trivy does not find fixable vulnerabilities and Copa does not generate the Openvex output.
Test the patch action with the image docker.io/library/python:3.11.7-slim-bookworm, in this case the Copa Action fails with the following error:
chmod: cannot access './data/docker.io-library-python-3.11.7-slim-bookworm-openvex-report.json': No such file or directory
Error: Process completed with exit code 1.Currently, this action does not allow to generate output in Vex format (See official docs here):
Adding this feature would be highly beneficial for visibility and reporting.
automate building and publishing an action image once copa publishes a new tag
we use https://goreleaser.com/ in copa, can we use a similar way to trigger a new release in action?
Add a test workflow specifically for building and patching local images. Also add documentation clarifying that we will need to install Trivy and pass the --docker-host flag with the custom socket in order to be able to scan in the workflow after containerd image store is enabled.
Add documentation for testing local changes during development.
today, actions runs using buildkit as a container but buildkit container cannot access registry credentials
action needs to
for implementation, we can make the buildkit container optional unless user specified a specific version. otherwise, we can let copa perform it's regular fallback steps and have docs/guidance to either create a buildx builder or enable containerd image store. I think this would be a breaking change unless we can create buildx builder for the user.
Due to Docker running as root, vex output does not have user readable permissions. This is not a good experience, file should be saved with correct permissions.
related #35
release action with workflow_dispatch to:
vX.Y.Z and vX.Y and vXIssue #16 is closed indicating that public/private registries are supported, but project-copacetic/copa-action@main fails to be able to pull from an ECR registry. I've logged into the registry every way in the github action that I could think to do it. As far as I understand, there are no parameters to the buildx container that runs, so I'm not sure how it's supposed to authenticate with the registry.
The documentation at https://github.com/project-copacetic/copa-action?tab=readme-ov-file#ways-to-connect-to-buildkit seems to indicate buildx (Option 1) is the only supported way to connect to private registries.
Selected github action logs:
Example of being able to pull the image locally, can be done as a regular user or as super use, both are successful:
Run sudo docker pull ${REGISTRY}/${REPOSITORY}:${TAG}-0
sudo docker pull ${REGISTRY}/${REPOSITORY}:${TAG}-0
shell: /usr/bin/bash -e {0}
env:
TAG: [2](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:6:2)5.0.1
REGISTRY: ***.dkr.ecr.us-east-1.amazonaws.com
REPOSITORY: ironbank/opensource/keycloak/keycloak
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
25.0.1-0: Pulling from ironbank/opensource/keycloak/keycloak
e[3](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:6:3)94ea8406c7: Pulling fs layer
0a[4](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:6:4)84c292e0f: Pulling fs layer
e2bc109f1f18: Pulling fs layer
f32fd4c317d8: Pulling fs layer
f32fd4c317d8: Waiting
0a484c292e0f: Verifying Checksum
0a484c292e0f: Download complete
e394ea8406c7: Verifying Checksum
e394ea8406c7: Download complete
e394ea8406c7: Pull complete
0a484c292e0f: Pull complete
e2bc109f1f18: Verifying Checksum
e2bc109f1f18: Download complete
f32fd4c317d8: Verifying Checksum
f32fd4c317d8: Download complete
e2bc109f1f18: Pull complete
f32fd4c317d8: Pull complete
Digest: sha2[5](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:6:5)6:a030889378d9a2c981f245ec35974[6](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:6:6)37b431796b84e0afca4693c7008e3f3df6
Status: Downloaded newer image for ***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:25.0.1-0
***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:25.0.1-0
Running the copa action fails with 401 unauthorized:
Run project-copacetic/copa-action@main
with:
image: ***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:[2](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:9:2)5.0.1-0
image-report: report.json
patched-tag: patched
timeout: 5m
output: vex.json
format: openvex
env:
TAG: 25.0.1
REGISTRY: ***.dkr.ecr.us-east-1.amazonaws.com
REPOSITORY: ironbank/opensource/keycloak/keycloak
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
Run # check for copa version input, else use latest
Unable to find image 'ghcr.io/project-copacetic/copa-action:v0.7.0' locally
v0.7.0: Pulling from project-copacetic/copa-action
f11c1adaa26e: Pulling fs layer
c802ad29fa74: Pulling fs layer
fd6e[3](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:9:3)8fed636: Pulling fs layer
d3d5f8ca516f: Pulling fs layer
d3d5f8ca516f: Waiting
c802ad29fa7[4](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:9:4): Verifying Checksum
c802ad29fa74: Download complete
f11c1adaa26e: Verifying Checksum
f11c1adaa26e: Download complete
d3d[5](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:9:5)f8ca516f: Verifying Checksum
d3d5f8ca51[6](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:9:6)f: Download complete
f11c1adaa26e: Pull complete
c802ad29fa[7](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:9:7)4: Pull complete
fd6e3[8](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:9:8)fed636: Verifying Checksum
fd6e38fed636: Download complete
fd6e38fed636: Pull complete
d3d5f8ca516f: Pull complete
Digest: sha256:1242566dfddc06682ce27d14e55d6[9](https://github.com/paradyme-management/copa-keycloak/actions/runs/10099241387/job/27928012790#step:9:9)86846cc3e176d43c72c313e21366bb846a
Status: Downloaded newer image for ghcr.io/project-copacetic/copa-action:v0.7.0
+ image=***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:25.0.1-0
+ report=report.json
+ patched_tag=patched
+ timeout=5m
+ connection_format=buildx
+ format=openvex
+ output_file=vex.json
+ echo ***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:25.0.1-0
+ cut -d: -f1
+ image_no_tag=***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak
+ [ -z vex.json ]
+ output=--format openvex --output ./data/vex.json
+ docker buildx create --name=copa-action
copa-action
+ docker buildx use --default copa-action
+ connection=--addr buildx://copa-action
+ copa patch -i ***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:25.0.1-0 -r ./data/report.json -t patched --addr buildx://copa-action --timeout 5m --format openvex --output ./data/vex.json
#1 resolve image config for docker-image://***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:25.0.1-0
#1 ERROR: unexpected status from HEAD request to https://***.dkr.ecr.us-east-1.amazonaws.com/v2/ironbank/opensource/keycloak/keycloak/manifests/25.0.1-0: 401 Unauthorized
Error: unexpected status from HEAD request to https://***.dkr.ecr.us-east-1.amazonaws.com/v2/ironbank/opensource/keycloak/keycloak/manifests/25.0.1-0: 401 Unauthorized
+ echo Error patching image ***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:25.0.1-0 with copa
+ exit 1
Error patching image ***.dkr.ecr.us-east-1.amazonaws.com/ironbank/opensource/keycloak/keycloak:25.0.1-0 with copa
Error: Process completed with exit code 1.
This is a private registry and private git repository, but the full contents of the github workflow is:
name: Docker Image Build
on:
workflow_dispatch:
inputs:
keycloak_tag:
description: "The keycloak tag to patch. Assumes that ECR already has the ironbank tag with `-0` appended in to use as a base image."
required: true
jobs:
build:
name: Build Image
runs-on: ubuntu-latest
steps:
- name: Configure environment
run: |
echo "TAG=${{ github.event.inputs.keycloak_tag }}" >> $GITHUB_ENV
echo "REGISTRY=***REDACTED***.dkr.ecr.us-east-1.amazonaws.com" >> $GITHUB_ENV
echo "REPOSITORY=ironbank/opensource/keycloak/keycloak" >> $GITHUB_ENV
mkdir -p ${HOME}/.aws
echo "[default]" >> ${HOME}/.aws/credentials
AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
echo "aws_access_key_id = ${AWS_ACCESS_KEY_ID}" >> ${HOME}/.aws/credentials
echo "aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}" >> ${HOME}/.aws/credentials
aws ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin ***REDACTED***.dkr.ecr.us-east-1.amazonaws.com
- name: Configure AWS credentials us-east-1
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Login to Amazon ECR us-east-1
id: us-east-1-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Get the Docker image
run: |
sudo docker pull ${REGISTRY}/${REPOSITORY}:${TAG}-0
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
with:
scan-type: "image"
format: "json"
output: "report.json"
ignore-unfixed: true
vuln-type: "os"
image-ref: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.TAG }}-0
- name: Check vulnerability count
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
echo "vuln_count=$vuln_count"
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
# using main for testing purposes
# use a tag (such as v1 or v1.0.1) at a bare minimum
# recommendation is to pin to a digest for security and stability
# and rely on dependabot for digest/version updates
uses: project-copacetic/copa-action@main
with:
image: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.TAG }}-0
image-report: "report.json"
patched-tag: "patched"
timeout: "5m" # optional, default is 5m
output: vex.json # optional
format: "openvex" # optional, default is openvex
- name: Tag Copa image for push
if: steps.vuln_count.outputs.vuln_count != '0'
id: tag_copa_img
run:
docker tag ${REGISTRY}/${REPOSITORY}:${TAG}-0-patched ${REGISTRY}/${REPOSITORY}:${TAG}
- name: Tag and push the Docker image to us-east-1
if: steps.vuln_count.outputs.vuln_count != '0'
env:
ECR_REGISTRY: ${{ steps.us-east-1-ecr.outputs.registry }}
run: |
docker tag ${REPOSITORY}:${TAG} $ECR_REGISTRY/${REPOSITORY}:${TAG}
docker push $ECR_REGISTRY/$REPOSITORY:${TAG}
In my case, I have copied the original keycloak image from ironbank to our ECR with a tag of 25.0.1-0 and I'm attempting to patch the image and update the 25.0.1 tag for keycloak with the output from copa. I don't think ironbank images have anything special about them, we could copy registry.access.redhat.com/ubi9/ubi-minimal:9.4-949 to our private ECR as registry.access.redhat.com/ubi9/ubi-minimal:9.4-949-0 and then attempt to run copa against it and have the same results.
Hi, I'm trying to use the copa-action, for images that I store in GHCR
Copa patch action fails with:
time="2023-09-29T08:41:30Z" level=info msg="trying next host" error="failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Amy-login%2Fmy-app%3Apull&service=ghcr.io: 401 Unauthorized" host=ghcr.io
Error: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Amy-login%2Fmy-app%3Apull&service=ghcr.io: 401 Unauthorized
Of course, I've added the docker login action at the top of workflow and the image downloads successfully.
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
remove checkout action step, pull copa-action image instead.
"Unable to find image 'ghcr.io/project-copacetic/copa-action:vull' locally"
example - https://github.com/peterbom/aks-periscope/actions/runs/6502665610/job/17662033655
update patch.yaml with the new settings like timeout, output, etc: https://github.com/project-copacetic/copa-action/blob/main/.github/workflows/patch.yaml (#43)
once that's done (we need the git commit), update the link to patch.yaml in the readme https://github.com/project-copacetic/copa-action/blob/main/README.md?plain=1#L77
I am struggling to integrate copa-action with my current Workflow.
The workflow fails as I am trying to get copa to scan a local image, while it attempts to pull the image from a private registry where the workflow does not have access
#1 resolve image config for docker-image://xxxx.azurecr.io/testteam1/testapp1:05-06-2024.744
Error: failed to resolve source metadata for xxxx.azurecr.io/testteam1/testapp1:05-06-2024.744: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://xxxx.azurecr.io/oauth2/token?scope=repository%3Atestteam1%2Ftestapp1%3Apull&service=xxxx.azurecr.io: 403 Forbidden
I would appreciate ideas on how to fix this workflow while still using the docker/setup-buildx-action with the docker-container driver.
I set up with the following
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
id: buildx
with:
driver: docker-container # required for writing to github actions cache
# probably not the correct way to attempt to configure this..
buildkitd-config-inline: |
debug = true
[features]
containerd-snapshotter = true
- name: Build docker image using cache
uses: docker/build-push-action@v5
with:
cache-from: type=gha
cache-to: type=gha,mode=max #requires docker-container driver
outputs: type=docker,dest=./image.tar
(...)
Scan it with trivy this way
- name: Load container image to docker daemon
run: docker load -i ./image.tar
- name: Run Trivy vulnerability scanner for OS vulerabilities
if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true'}}"
uses: aquasecurity/[email protected]
with:
#input: ./image.tar
image-ref: "${{ steps.env.outputs.full-image-name-tagless }}:${{ steps.env.outputs.tag }}"
format: "json"
output: "report.json"
severity: ${{inputs.image-scan-severity}}
ignore-unfixed: true
scanners: "vuln"
vuln-type: "os"
# check whether there are any OS package vulnerabilities
- name: Check vulnerability count
if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true' }}"
id: vuln_count
run: |
report_file="report.json"
vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
echo "Vulnerability count: $vuln_count"
- name: Get socket path
if: steps.vuln_count.outputs.vuln_count != '0'
id: socket_path
run: |
url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
socket_path=$(echo "$url" | awk -F// '{print $2}')
echo "$socket_path"
echo "SOCKET=$socket_path" >> $GITHUB_ENV
- name: Run Copa action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/copa-action@v1
with:
image: "${{ steps.env.outputs.full-image-name-tagless }}:${{ steps.env.outputs.tag }}"
image-report: "report.json"
patched-tag: "patched"
timeout: "5m" # optional, default is 5m
custom-socket: "${{ steps.socket_path.outputs.socket_path }}"document action in copa docs https://project-copacetic.github.io/copacetic/website/
We are trying to leverge the feature introduced by this PR in order to produce the openvex report.
However, it appears that targeting the main branch of the action (uses: project-copacetic/copa-action@main) does not yield the expected results, as the output openvex file is not produced.
Conversely, when targeting one of the test branches of @sozercan , it functions properly (uses: sozercan/copa-action@out-vex).
This is the implicated section of our patch pipeline:
- name: Copa Action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: sozercan/copa-action@out-vex. # does not work with 'uses: project-copacetic/copa-action@main'
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: ${{ env.PATCHED_TAG }}
output: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json
- name: Archive openvex vuln report
uses: actions/upload-artifact@v4
with:
name: ${{ env.PATCHED_TAG_SBOM }}-openvex-report
path: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.