Add trivy image scanning

.github/workflows/fatimage.yml

@@ -2,27 +2,26 @@
 name: Build fat image
 'on':
   workflow_dispatch:
-    inputs:
-      use_RL8:
-        required: true
-        description: Include RL8 image build
-        type: boolean
-        default: false
 concurrency:
-  group: ${{ github.ref }}-{{ matrix.os_version }} # to branch/PR + OS
+  group: ${{ github.ref }}-{{ matrix.os_version }}-{{ matrix.build }} # to branch/PR + OS + build
   cancel-in-progress: true
 jobs:
   openstack:
     name: openstack-imagebuild
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
-        os_version: [RL8, RL9]
-        rl8_selected:
-          - ${{ inputs.use_RL8 == true }} # only potentially true for workflow_dispatch
+        os_version:
+          - RL8
+          - RL9
+        build:
+          - openstack.openhpc
+          - openstack.openhpc-ofed
         exclude:
           - os_version: RL8
-            rl8_selected: false
+            build: openstack.openhpc-ofed
+          - os_version: RL9
+            build: openstack.openhpc
     env:
       ANSIBLE_FORCE_COLOR: True
       OS_CLOUD: openstack
@@ -63,19 +62,64 @@ jobs:
           . environments/.stackhpc/activate
           cd packer/
           packer init .
-          PACKER_LOG=1 packer build -on-error=${{ vars.PACKER_ON_ERROR }} -except=openstack.openhpc-extra -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
+          PACKER_LOG=1 packer build -on-error=${{ vars.PACKER_ON_ERROR }} -only=${{ matrix.build }} -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
         env:
           PKR_VAR_os_version: ${{ matrix.os_version }}
 
       - name: Get created image names from manifest
         id: manifest
         run: |
           . venv/bin/activate
-          for IMAGE_ID in $(jq --raw-output '.builds[].artifact_id' packer/packer-manifest.json)
-          do
-            while ! openstack image show -f value -c name $IMAGE_ID; do
-              sleep 5
-            done
-            IMAGE_NAME=$(openstack image show -f value -c name $IMAGE_ID)
-            echo $IMAGE_NAME
+          IMAGE_ID=$(jq --raw-output '.builds[-1].artifact_id' packer/packer-manifest.json)
+          while ! openstack image show -f value -c name $IMAGE_ID; do
+            sleep 5
           done
+          IMAGE_NAME=$(openstack image show -f value -c name $IMAGE_ID)
+          echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
+          echo "image-id=$IMAGE_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Download image
+        run: |
+          . venv/bin/activate
+          openstack image save --file ${{ steps.manifest.outputs.image-name }}.qcow2 ${{ steps.manifest.outputs.image-name }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: install libguestfs
+        run: |
+          sudo apt -y update
+          sudo apt -y install libguestfs-tools
+
+      - name: mkdir for mount
+        run: sudo mkdir -p './${{ steps.manifest.outputs.image-name }}'
+
+      - name: mount qcow2 file
+        run: sudo guestmount -a ${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}'
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: "./${{ steps.manifest.outputs.image-name }}"
+          scanners: "vuln"
+          format: sarif
+          output: "${{ steps.manifest.outputs.image-name }}.sarif"
+          # turn off secret scanning to speed things up
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif"
+          category: "${{ matrix.os_version }}-${{ matrix.build }}"
+
+      - name: Fail if scan has CRITICAL vulnerabilities
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: "./${{ steps.manifest.outputs.image-name }}"
+          scanners: "vuln"
+          format: table
+          exit-code: '1'
+          severity: 'CRITICAL'
+          ignore-unfixed: true

environments/.stackhpc/hooks/post.yml

@@ -0,0 +1,14 @@
+- hosts: openondemand
+  become: yes
+  gather_facts: false
+  tasks:
+    - name: Delete ondemand files causing Trivy scan false-positives
+      # Raised at https://github.com/OSC/ondemand/security/advisories/GHSA-f7j8-ppqm-m5vw
+      # All declared not to be an issue by Open Ondemand as relevant packages not installed
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      with_items:
+        - /opt/ood/ondemand/root/usr/share/gems/3.1/ondemand/3.1.7-1/gems/bootstrap_form-2.7.0/test/dummy/Gemfile.lock
+        - /opt/ood/ondemand/root/usr/share/gems/3.1/ondemand/3.1.7-1/gems/bootstrap_form-4.5.0/demo/yarn.lock
+        - /var/www/ood/apps/sys/dashboard/node_modules/data-confirm-modal/Gemfile.lock

environments/.stackhpc/terraform/main.tf

@@ -29,9 +29,9 @@ variable "cluster_image" {
     description = "single image for all cluster nodes, keyed by os_version - a convenience for CI"
     type = map(string)
     default = {
-        # https://github.com/stackhpc/ansible-slurm-appliance/pull/411
-        RL8: "openhpc-RL8-240725-1710-325c7b47"
-        RL9: "openhpc-ofed-RL9-240725-1710-325c7b47"
+        # https://github.com/stackhpc/ansible-slurm-appliance/pull/413
+        RL8: "openhpc-RL8-240813-1317-1b370a36"
+        RL9: "openhpc-ofed-RL9-240813-1317-1b370a36"
     }
 }
 

environments/common/inventory/group_vars/all/grafana.yml

@@ -2,7 +2,7 @@
 
 # See: https://github.com/cloudalchemy/ansible-grafana
 # for variable definitions.
-grafana_version: '9.0.3'
+grafana_version: '9.5.21'
 
 # need to copy some role defaults here so we can use in inventory:
 grafana_port: 3000