marko/cnpg-postgres-containers
1
0
Fork 0
forked from repo-mirrors/cnpg-postgres-containers
Code Pull Requests Actions Activity

Compare commits

base: marko:dev/340
Branches Tags
marko:main marko:renovate/barman-3.x marko:dev/340 marko:dev/security-scan-action marko:dev/209 marko:dev/290 marko:dev/upload marko:dev/improve-readme
..
compare: marko:dev/security-scan-action
Branches Tags
marko:renovate/barman-3.x marko:main marko:dev/340 marko:dev/security-scan-action marko:dev/209 marko:dev/290 marko:dev/upload marko:dev/improve-readme

1 Commits
dev/340 ... dev/securi

Author SHA1 Message Date
Niccolò Fei
6883910f08 ci: add a composite action for security scanners 
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
 2025-10-13 16:35:41 +02:00
6 changed files with 191 additions and 250 deletions
Expand all files Collapse all files

120
.github/actions/copy-images/README.md vendored
View File

@@ -1,120 +0,0 @@
# Copy Images Action
This composite GitHub Action copies a set of container images from a
`testing registry` to a `production registry`, and signs them using `Cosign`.
It requires as input Bake's build result metadata, which is the output provided
by the [bake-action](https://github.com/docker/bake-action?tab=readme-ov-file#outputs).
---
## How it works
The action assumes a consistent naming convention between your testing and production registries.
* A production image is named like `ghcr.io/org/image`
* The corresponding testing image must include a suffix, e.g. `ghcr.io/org/image-testing`
You can customize this suffix with the `inputs.test_registry_suffix` input.
The action proceeds as follows:
1. It retrieves all image references from `inputs.bake_build_metadata`
2. It generates a list of destination images by stripping out the `test_registry_suffix` from each image
3. Each image is copied to the destination registry using `Skopeo copy`. The digest of the image is preserved.
4. Each production image is signed using `Cosign`
---
## Requirements
This composite action requires the calling workflows `GITHUB_TOKEN`
to have the following permissions:
```
permissions:
contents: read
packages: write
id-token: write # needed by Cosign for signing the images with GitHub OIDC Token
```
---
## Inputs
| Name | Description | Required | Default |
| ---------------------- | -------------------------------------------------- | --------- | -------------- |
| `bake_build_metadata` | The JSON build result metadata generated by Bake | ✅ Yes | — |
| `registry_user` | The user used to authenticate to the registry | ✅ Yes | — |
| `registry_token` | The token used to authenticate to the registry | ✅ Yes | — |
| `test_registry_suffix` | The suffix of the testing images | ❌ No | `-testing` |
Note:
The JSON build result metadata is provided by [bake-action](https://github.com/docker/bake-action) as an output, see
[bake-action outputs](https://github.com/docker/bake-action?tab=readme-ov-file#outputs).
Alternatively, if you are using `docker buildx bake` via commandline, you can write your build metadata to a file
by using `--metadata-file`, and then provide the content of that file as `input.bake_build_metadata`.
---
## Usage
Example usage:
```
jobs:
copytoproduction:
runs-on: ubuntu-latest
needs:
- testbuild
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Copy to production
uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main
with:
bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}"
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
```
Example workflow:
```
jobs:
# Building and pushing to a testing registry
testbuild:
runs-on: ubuntu-latest
outputs:
metadata: ${{ steps.build.outputs.metadata }}
steps:
...
- uses: docker/bake-action@v6
id: build
with:
push: true
# Here's when you'd want to have one or
# multiple jobs to scan and test your images
scan-images:
...
# If the tests passed, we promote the images to the production repo
copytoproduction:
runs-on: ubuntu-latest
needs:
- testbuild
- scan-images
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Copy to production
uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main
with:
bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}"
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
```

75
.github/actions/copy-images/action.yml vendored
View File

@@ -1,75 +0,0 @@
name: Copy and sign images
description: Copy and sign images to the production repository
inputs:
bake_build_metadata:
description: "The JSON build metadata of Bake"
required: true
registry_user:
description: "The user used to authenticate to the registry"
required: true
registry_token:
description: "The token used to authenticate to the registry"
required: true
test_registry_suffix:
description: "The testing registry suffix"
required: false
default: '-testing'
runs:
using: composite
steps:
- name: Log in to the GitHub Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ inputs.registry_user }}
password: ${{ inputs.registry_token }}
- name: Copy images
shell: bash
env:
# renovate: datasource=docker depName=quay.io/skopeo/stable versioning=loose
SKOPEO_VERSION: "v1.20.0-immutable"
SUFFIX: ${{ inputs.test_registry_suffix }}
run: |
images=$(echo '${{ inputs.bake_build_metadata }}' |
jq -r '
.[] as $items |
(
$items."image.name" |
split(",")[] +
"@" +
$items."containerimage.digest"
)
'
)
for image in $images
do
testimageshaonly="${image%:*@*}@${image#*@}"
testimagenosha="${image%@*}"
prodimage="${testimagenosha/$SUFFIX/}"
echo "Copying ${testimageshaonly} to ${prodimage}"
docker run --quiet quay.io/skopeo/stable:$SKOPEO_VERSION copy -q -a \
--dest-creds ${{ inputs.registry_user }}:${{ inputs.registry_token }} \
docker://${testimageshaonly} docker://${prodimage}
done
- name: Install cosign
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
- name: Sign images
shell: bash
env:
SUFFIX: ${{ inputs.test_registry_suffix }}
run: |
images=$(echo '${{ inputs.bake_build_metadata }}' |
jq -r --arg suffix "$SUFFIX" '.[] |
(
."image.name" |
sub(",.*";"") |
sub($suffix + ":[^@]+";"")
) + "@" + ."containerimage.digest"
'
)
echo "Signing ${images}"
cosign sign -t 5m --yes ${images}

71
.github/actions/security-scans/README.md vendored Normal file
View File

@@ -0,0 +1,71 @@
# Security Scans Action
This composite GitHub Action wraps all the security scanners used to
analyze CloudNativePG container images.
---
## Requirements
This composite action relies on the calling workflows `GITHUB_TOKEN`.
Make sure your calling workflow includes:
```
permissions:
contents: read
packages: read
security-events: write # required for SARIF upload
```
---
## Security scanners
- [Dockle](https://github.com/goodwithtech/dockle):
- Best-practice and configuration checks.
- [Snyk](https://github.com/snyk/actions):
- Detects vulnerabilities in OS packages, libraries, and dependencies.
- Generates a `snyk.sarif` that gets uploaded to GitHub Code Scanning
---
## Inputs
| Name | Description | Required | Default |
| ---------------- | -------------------------------------------------- | --------- | -------------- |
| `image` | The image to scan (e.g. `ghcr.io/org/image:tag`) | ✅ Yes | — |
| `registry_user` | The user used to pull the image | ✅ Yes | — |
| `registry_token` | The token used to pull the image | ✅ Yes | — |
| `snyk_token` | The Snyk authentication token | ❌ No | — |
| `dockerfile` | Path to the images Dockerfile (for Snyk scanning) | ❌ No | `./Dockerfile` |
Note:
- If a `snyk_token` is not provided, Snyk scans won't be performed.
- The `dockerfile` path is currently only required by Snyk.
---
## Usage
Example workflow:
```
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
steps:
- uses: actions/checkout@v5
- name: Security checks
uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
with:
image: ghcr.io/org/image:tag
registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
snyk_token: ${{ secrets.SNYK_TOKEN }}
dockerfile: "./Dockerfile"
```

64
.github/actions/security-scans/action.yml vendored Normal file
View File

@@ -0,0 +1,64 @@
name: Security Scans
description: Security Scans
inputs:
image:
description: "The image to scan"
required: true
registry_user:
description: "The user used to pull the image"
required: true
registry_token:
description: "The token used to pull the image"
required: true
snyk_token:
description: "The snyk authentication token"
required: false
dockerfile:
description: "The image's Dockerfile"
required: false
default: './Dockerfile'
runs:
using: composite
steps:
- name: Log in to the GitHub Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ inputs.registry_user }}
password: ${{ inputs.registry_token }}
- name: Dockle
uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
with:
image: "${{ inputs.image }}"
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
- name: Snyk
uses: snyk/actions/docker@master
id: snyk
if: ${{ inputs.snyk_token != '' }}
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning.
continue-on-error: true
env:
SNYK_TOKEN: ${{ inputs.snyk_token }}
with:
image: "${{ inputs.image }}"
args: --severity-threshold=high --file=${{ inputs.dockerfile }}
- name: Replace sarif security-severity invalid values
if: ${{ steps.snyk.conclusion == 'success' }}
shell: bash
run: |
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
if: ${{ steps.snyk.conclusion == 'success' }}
with:
sarif_file: snyk.sarif

102
.github/workflows/bake_targets.yml vendored
View File

@@ -143,47 +143,18 @@ jobs:
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Log in to the GitHub Container registry - name: Security checks
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 uses: ./.github/actions/security-scans
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Dockle
uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
with:
image: ${{ matrix.image }}
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
- name: Snyk
uses: snyk/actions/docker@master
id: snyk
if: ${{ env.SNYK_TOKEN != '' }}
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning.
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with: with:
image: "${{ matrix.image }}" image: "${{ matrix.image }}"
args: --severity-threshold=high --file=Dockerfile registry_user: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }}
- name: Replace sarif security-severity invalid values snyk_token: ${{ secrets.SNYK_TOKEN }}
if: ${{ steps.snyk.conclusion == 'success' }} dockerfile: "./Dockerfile"
run: |
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
if: ${{ steps.snyk.conclusion == 'success' }}
with:
sarif_file: snyk.sarif
# Use the metadata generated in the `testbuild` step to find all the images
# that have been built. We copy them one by one to the production registry
# using skopeo. Then we sign the production images too.
copytoproduction: copytoproduction:
name: Copy images to production name: Copy images to production
if: | if: |
@@ -196,15 +167,54 @@ jobs:
permissions: permissions:
contents: read contents: read
packages: write packages: write
security-events: write
# Required by the cosign step # Required by the cosign step
id-token: write id-token: write
steps: steps:
- name: Checkout Code - name: Log in to the GitHub Container registry
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
- name: Copy to production
uses: ./.github/actions/copy-images
with: with:
bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}" registry: ghcr.io
registry_user: ${{ github.actor }} username: ${{ github.actor }}
registry_token: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Copy images
run: |
images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
jq -r '
.[] as $items |
(
$items."image.name" |
split(",")[] +
"@" +
$items."containerimage.digest"
)
'
)
for image in $images
do
testimageshaonly="${image%:*@*}@${image#*@}"
testimagenosha="${image%@*}"
prodimage="${testimagenosha/-testing/}"
echo "Copying ${testimageshaonly} to ${prodimage}"
docker run --quiet quay.io/skopeo/stable:v1.17.0-immutable copy -q -a \
--dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
docker://${testimageshaonly} docker://${prodimage}
done
- name: Install cosign
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
- name: Sign images
run: |
images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
jq -r '.[] |
(
."image.name" |
sub(",.*";"") |
sub("-testing:[^@]+";"")
) + "@" + ."containerimage.digest"
'
)
echo "Signing ${images}"
cosign sign -t 5m --yes ${images}

9
renovate.json
View File

@@ -19,15 +19,6 @@
"\\/\\/\\s*renovate:\\s*datasource=(?<datasource>.*?)\\s+(versioning=(?<versioning>.*?))?\\s+depName=(?<depName>.*?)\\s*\\n\\s*[A-Za-z0-9_-]+\\s*=\\s*\"(?<currentValue>[^\"]+)\"" "\\/\\/\\s*renovate:\\s*datasource=(?<datasource>.*?)\\s+(versioning=(?<versioning>.*?))?\\s+depName=(?<depName>.*?)\\s*\\n\\s*[A-Za-z0-9_-]+\\s*=\\s*\"(?<currentValue>[^\"]+)\""
], ],
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}" "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
},
{
"customType": "regex",
"managerFilePatterns": [
"/\\.ya?ml$/"
],
"matchStrings": [
"# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*[\"']?(?<currentValue>.+?)[\"']?\\s"
]
} }
], ],
"packageRules": [ "packageRules": [