Add Clair GH action

electrocucaracha · Sep 28, 2024 · 0f42ec0 · 0f42ec0
1 parent 11560ce
commit 0f42ec0
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 6 deletions.
diff --git a/.github/actions/docker-image/action.yml b/.github/actions/docker-image/action.yml
@@ -0,0 +1,44 @@
+---
+# SPDX-license-identifier: Apache-2.0
+##############################################################################
+# Copyright (c) 2024
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+name: Analyzes security and size of a given docker image
+inputs:
+  image:
+    description: Docker image name
+runs:
+  using: "composite"
+  steps:
+    - name: Get Docker Image layer contents
+      uses: MaxymVlasov/dive-action@379af3fc636888ada5899c997e8b52db6ad45023 # refs/tags/v1.0.1
+      with:
+        image: ${{ inputs.image }}
+    - name: Save Docker image
+      shell: bash
+      run: docker save -o ${{ github.sha }} ${{ inputs.image }}
+    - name: Grab cache DB
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # refs/tags/v4.0.2
+      with:
+        path: matcher.db
+        key: matcher.db
+    - name: Check security vulnerabilities
+      uses: quay/clair-action@3d70e770073b9ac97fc7a7e800822fee52f5cb22 # refs/tags/v0.0.9
+      with:
+        image-path: ${{ github.sha }}
+        db-file: matcher.db
+        format: sarif
+        output: clair_results.sarif
+    - name: Upload artifact
+      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # refs/tags/v4.4.0
+      with:
+        name: sarif
+        path: clair_results.sarif
+    - name: Upload security image report
+      uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # refs/tags/v3.26.9
+      with:
+        sarif_file: clair_results.sarif
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -35,16 +35,16 @@ jobs:
         env:
           OS_KOLLA_BUILD_ARGS: 'keystone --registry 127.0.0.1:5000 --push --threads 4 --quiet --retries 5 --cache --push-threads 2 --squash --base ubuntu --tag latest'
         run: ./registry.sh
-      - name: Get Docker Base Image layer contents
-        uses: MaxymVlasov/dive-action@379af3fc636888ada5899c997e8b52db6ad45023 # refs/tags/v1.0.1
+      - name: Analyze Docker Base Image
+        uses: ./.github/actions/docker-image
         with:
           image: '127.0.0.1:5000/kolla/base:latest'
-      - name: Get OpenStack Docker Image layer contents
-        uses: MaxymVlasov/dive-action@379af3fc636888ada5899c997e8b52db6ad45023 # refs/tags/v1.0.1
+      - name: Analyze OpenStack Base Image
+        uses: ./.github/actions/docker-image
         with:
           image: '127.0.0.1:5000/kolla/openstack-base:latest'
-      - name: Get Kestone Docker Image layer contents
-        uses: MaxymVlasov/dive-action@379af3fc636888ada5899c997e8b52db6ad45023 # refs/tags/v1.0.1
+      - name: Analyze Keystone Image
+        uses: ./.github/actions/docker-image
         with:
           image: '127.0.0.1:5000/kolla/keystone:latest'
       - name: Validate images