Add trivy image scanning (#413)

sjpb · bertiethorpe · MaxBed4d · commit 09bcb71044af · 2024-10-15T14:51:50.000Z
* add trivy image scanning * bump fatimage workflow to ubuntu 22.04 * make setup script work in CI TODO: FIXME * fix libguestfs install * run only 1x build per matrix entry, & only builds required * fix packer README * fix image download * Use shorter names for CI clusters (#415) * use run_number as a shorter ID for CI * slurmci group name warning * Revert "slurmci group name warning" - underscores not valid linux hostname and stripped in host, leading to slurmdbd config failure This reverts commit 61dfad6. --------- Co-authored-by: Bertie <bertie@stackhpc.com> * install ood apps in fatimage * add ood jupyter install to fatimage * jupyter_compute ood into fatimage * bump fatimage * allow items in compute mapping to have different keys e.g. only specify image_id for some compute groups (#412) * Support ansible-init for remote collections (#411) * Add ansible-init role to requirements.yml * Add ansible-init to groups and plays * Configure cluster_infra ansible-init metadata * Only run site.yml once ansible-init has completed * Wait for ansible init to finish before running bootstrap * revert to using cluster_infra metadata defaults * update image * revert sausage bastion changes * set ansible_init_wait as common var * use run_number as a shorter ID for CI * install ood apps in fatimage * add ood jupyter install to fatimage * bump image * jupyter_compute ood into fatimage * bump fatimage for jupyter_compute ood * Update stackhpc.yml * duplicate tuned inventory group name * Fix invalid group name for slurmci * Update stackhpc.yml undo groupname changes * slurmci group name warning * rm ood changes * bump fatimage * change azimuth collection in bootstrap * update azimuth image utils version * update requirements * Update bastion.yml * Use azimuth image utils collection for ansible-init * bump fatimage --------- Co-authored-by: bertie <bertie@stackhpc.com> Co-authored-by: bertiethorpe <84867280+bertiethorpe@users.noreply.github.com> * avoid python-openstackclient v7 due to rebuild bug (#420) * Update hpctests to obey UCX_NET_DEVICES when RoCE devices present (#421) * Turn off higher priority MPI net devices * Update pingmatrix.sh.j2 * Update pingmatrix.sh.j2 * Update pingpong.sh.j2 * Replace j2 comments with bash * Update pingpong.sh.j2 --------- Co-authored-by: Steve Brasier <33413598+sjpb@users.noreply.github.com> * delete trivy scanned vulnerabilities * update grafana * bump image * Update environments/.stackhpc/hooks/post.yml Co-authored-by: Steve Brasier <33413598+sjpb@users.noreply.github.com> * Update setup-env.sh --------- Co-authored-by: Bertie <bertie@stackhpc.com> Co-authored-by: bertiethorpe <84867280+bertiethorpe@users.noreply.github.com> Co-authored-by: bertiethorpe <bertie443@gmail.com>
diff --git a/.github/workflows/fatimage.yml b/.github/workflows/fatimage.yml
@@ -2,27 +2,26 @@
 name: Build fat image
 'on':
   workflow_dispatch:
-    inputs:
-      use_RL8:
-        required: true
-        description: Include RL8 image build
-        type: boolean
-        default: false
 concurrency:
-  group: ${{ github.ref }}-{{ matrix.os_version }} # to branch/PR + OS
+  group: ${{ github.ref }}-{{ matrix.os_version }}-{{ matrix.build }} # to branch/PR + OS + build
   cancel-in-progress: true
 jobs:
   openstack:
     name: openstack-imagebuild
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
-        os_version: [RL8, RL9]
-        rl8_selected:
-          - ${{ inputs.use_RL8 == true }} # only potentially true for workflow_dispatch
+        os_version:
+          - RL8
+          - RL9
+        build:
+          - openstack.openhpc
+          - openstack.openhpc-ofed
         exclude:
           - os_version: RL8
-            rl8_selected: false
+            build: openstack.openhpc-ofed
+          - os_version: RL9
+            build: openstack.openhpc
     env:
       ANSIBLE_FORCE_COLOR: True
       OS_CLOUD: openstack
@@ -63,19 +62,64 @@ jobs:
           . environments/.stackhpc/activate
           cd packer/
           packer init .
-          PACKER_LOG=1 packer build -on-error=${{ vars.PACKER_ON_ERROR }} -except=openstack.openhpc-extra -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
+          PACKER_LOG=1 packer build -on-error=${{ vars.PACKER_ON_ERROR }} -only=${{ matrix.build }} -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
         env:
           PKR_VAR_os_version: ${{ matrix.os_version }}
 
       - name: Get created image names from manifest
         id: manifest
         run: |
           . venv/bin/activate
-          for IMAGE_ID in $(jq --raw-output '.builds[].artifact_id' packer/packer-manifest.json)
-          do
-            while ! openstack image show -f value -c name $IMAGE_ID; do
-              sleep 5
-            done
-            IMAGE_NAME=$(openstack image show -f value -c name $IMAGE_ID)
-            echo $IMAGE_NAME
+          IMAGE_ID=$(jq --raw-output '.builds[-1].artifact_id' packer/packer-manifest.json)
+          while ! openstack image show -f value -c name $IMAGE_ID; do
+            sleep 5
           done
+          IMAGE_NAME=$(openstack image show -f value -c name $IMAGE_ID)
+          echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
+          echo "image-id=$IMAGE_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Download image
+        run: |
+          . venv/bin/activate
+          openstack image save --file ${{ steps.manifest.outputs.image-name }}.qcow2 ${{ steps.manifest.outputs.image-name }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: install libguestfs
+        run: |
+          sudo apt -y update
+          sudo apt -y install libguestfs-tools
+
+      - name: mkdir for mount
+        run: sudo mkdir -p './${{ steps.manifest.outputs.image-name }}'
+
+      - name: mount qcow2 file
+        run: sudo guestmount -a ${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}'
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.17.0
+        with:
+          scan-type: fs
+          scan-ref: "./${{ steps.manifest.outputs.image-name }}"
+          scanners: "vuln"
+          format: sarif
+          output: "${{ steps.manifest.outputs.image-name }}.sarif"
+          # turn off secret scanning to speed things up
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif"
+          category: "${{ matrix.os_version }}-${{ matrix.build }}"
+
+      - name: Fail if scan has CRITICAL vulnerabilities
+        uses: aquasecurity/trivy-action@0.16.1
+        with:
+          scan-type: fs
+          scan-ref: "./${{ steps.manifest.outputs.image-name }}"
+          scanners: "vuln"
+          format: table
+          exit-code: '1'
+          severity: 'CRITICAL'
+          ignore-unfixed: true
diff --git a/environments/.stackhpc/hooks/post.yml b/environments/.stackhpc/hooks/post.yml
@@ -0,0 +1,14 @@
+- hosts: openondemand
+  become: yes
+  gather_facts: false
+  tasks:
+    - name: Delete ondemand files causing Trivy scan false-positives
+      # Raised at https://github.com/OSC/ondemand/security/advisories/GHSA-f7j8-ppqm-m5vw
+      # All declared not to be an issue by Open Ondemand as relevant packages not installed
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      with_items:
+        - /opt/ood/ondemand/root/usr/share/gems/3.1/ondemand/3.1.7-1/gems/bootstrap_form-2.7.0/test/dummy/Gemfile.lock
+        - /opt/ood/ondemand/root/usr/share/gems/3.1/ondemand/3.1.7-1/gems/bootstrap_form-4.5.0/demo/yarn.lock
+        - /var/www/ood/apps/sys/dashboard/node_modules/data-confirm-modal/Gemfile.lock
diff --git a/environments/.stackhpc/terraform/main.tf b/environments/.stackhpc/terraform/main.tf
@@ -29,9 +29,9 @@ variable "cluster_image" {
     description = "single image for all cluster nodes, keyed by os_version - a convenience for CI"
     type = map(string)
     default = {
-        # https://github.com/stackhpc/ansible-slurm-appliance/pull/411
-        RL8: "openhpc-RL8-240725-1710-325c7b47"
-        RL9: "openhpc-ofed-RL9-240725-1710-325c7b47"
+        # https://github.com/stackhpc/ansible-slurm-appliance/pull/413
+        RL8: "openhpc-RL8-240813-1317-1b370a36"
+        RL9: "openhpc-ofed-RL9-240813-1317-1b370a36"
     }
 }
 
diff --git a/environments/common/inventory/group_vars/all/grafana.yml b/environments/common/inventory/group_vars/all/grafana.yml
@@ -2,7 +2,7 @@
 
 # See: https://github.com/cloudalchemy/ansible-grafana
 # for variable definitions.
-grafana_version: '9.0.3'
+grafana_version: '9.5.21'
 
 # need to copy some role defaults here so we can use in inventory:
 grafana_port: 3000

Original file line number	Diff line number	Diff line change
`@@ -29,9 +29,9 @@ variable "cluster_image" {`
`29`	`29`	`description = "single image for all cluster nodes, keyed by os_version - a convenience for CI"`
`30`	`30`	`type = map(string)`
`31`	`31`	`default = {`
`32`		`- # https://github.com/stackhpc/ansible-slurm-appliance/pull/411`
`33`		`- RL8: "openhpc-RL8-240725-1710-325c7b47"`
`34`		`- RL9: "openhpc-ofed-RL9-240725-1710-325c7b47"`
	`32`	`+ # https://github.com/stackhpc/ansible-slurm-appliance/pull/413`
	`33`	`+ RL8: "openhpc-RL8-240813-1317-1b370a36"`
	`34`	`+ RL9: "openhpc-ofed-RL9-240813-1317-1b370a36"`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`