From 1a4c52966c801410744271524e3d8caec424346a Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Thu, 12 Dec 2024 14:25:38 -0800 Subject: [PATCH 1/6] Testing flow --- .github/workflows/dev-build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml index 09d65ea1c7..9c8f8e76f3 100644 --- a/.github/workflows/dev-build.yaml +++ b/.github/workflows/dev-build.yaml @@ -95,6 +95,7 @@ jobs: # About VEX attestations https://docs.docker.com/scout/explore/exceptions/ # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications - name: Add VEX attestations + uses: docker/scout-cli-action@v1 env: CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} run: | From 2e2fc1425824ecc8cf339ddaf669079376e19e06 Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Thu, 12 Dec 2024 14:26:25 -0800 Subject: [PATCH 2/6] change target --- .github/workflows/dev-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml index 9c8f8e76f3..093084a0a0 100644 --- a/.github/workflows/dev-build.yaml +++ b/.github/workflows/dev-build.yaml @@ -6,7 +6,7 @@ concurrency: on: push: - branches: ['2545-feat-community-hub-integration'] # put your current branch to create a build. Core team only. + branches: ['docker-scout-patch'] # put your current branch to create a build. Core team only. paths-ignore: - '**.md' - 'cloud-deployments/*' From 54b5b0a4a9431fa88af20dfcc9dfd704ffe768e1 Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Thu, 12 Dec 2024 14:29:36 -0800 Subject: [PATCH 3/6] try loop --- .github/workflows/dev-build.yaml | 37 ++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml index 093084a0a0..929875857a 100644 --- a/.github/workflows/dev-build.yaml +++ b/.github/workflows/dev-build.yaml @@ -96,20 +96,25 @@ jobs: # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications - name: Add VEX attestations uses: docker/scout-cli-action@v1 - env: - CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} - run: | - echo $CVE_EXCEPTIONS - curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- - for cve in $CVE_EXCEPTIONS; do - for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do - echo "Attaching VEX exception $cve to $tag" - docker scout attestation add \ - --file "./docker/vex/$cve.vex.json" \ - --predicate-type https://openvex.dev/ns/v0.2.0 \ - $tag - done - done - shell: bash + with: + command: attestation-add + only-severity: critical,high + tags: ${{ steps.meta.outputs.tags }} + file: ./docker/vex/${{ matrix.cve }}.vex.json + predicate-type: https://openvex.dev/ns/v0.2.0 + strategy: + matrix: + cve: ${{ fromJSON(format('[{0}]', steps.cve-list.outputs.CVE_EXCEPTIONS)) }} - \ No newline at end of file + # run: | + # echo $CVE_EXCEPTIONS + # curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + # for cve in $CVE_EXCEPTIONS; do + # for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do + # echo "Attaching VEX exception $cve to $tag" + # docker scout attestation add \ + # --file "./docker/vex/$cve.vex.json" \ + # --predicate-type https://openvex.dev/ns/v0.2.0 \ + # $tag + # done + # done \ No newline at end of file From 6cea804c01604136c58bc0634b8de4e303faf7be Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Thu, 12 Dec 2024 14:33:16 -0800 Subject: [PATCH 4/6] try loop --- .github/workflows/dev-build.yaml | 34 +++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml index 929875857a..1aa41cd72b 100644 --- a/.github/workflows/dev-build.yaml +++ b/.github/workflows/dev-build.yaml @@ -92,19 +92,31 @@ jobs: echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT shell: bash - # About VEX attestations https://docs.docker.com/scout/explore/exceptions/ - # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications - - name: Add VEX attestations - uses: docker/scout-cli-action@v1 - with: - command: attestation-add - only-severity: critical,high - tags: ${{ steps.meta.outputs.tags }} - file: ./docker/vex/${{ matrix.cve }}.vex.json - predicate-type: https://openvex.dev/ns/v0.2.0 + + cve_matrix: strategy: matrix: cve: ${{ fromJSON(format('[{0}]', steps.cve-list.outputs.CVE_EXCEPTIONS)) }} + steps: + - name: Add VEX attestations + uses: docker/scout-cli-action@v1 + with: + command: attestation-add + only-severity: critical,high + tags: ${{ steps.meta.outputs.tags }} + file: ./docker/vex/${{ matrix.cve }}.vex.json + predicate-type: https://openvex.dev/ns/v0.2.0 + + # About VEX attestations https://docs.docker.com/scout/explore/exceptions/ + # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications + # - name: Add VEX attestations + # uses: docker/scout-cli-action@v1 + # with: + # command: attestation-add + # only-severity: critical,high + # tags: ${{ steps.meta.outputs.tags }} + # file: ./docker/vex/${{ matrix.cve }}.vex.json + # predicate-type: https://openvex.dev/ns/v0.2.0 strategy: # run: | # echo $CVE_EXCEPTIONS @@ -117,4 +129,4 @@ jobs: # --predicate-type https://openvex.dev/ns/v0.2.0 \ # $tag # done - # done \ No newline at end of file + # done From 3e352941956d26cd7bff51a090495073efca3a1a Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Thu, 12 Dec 2024 14:44:31 -0800 Subject: [PATCH 5/6] fix ver --- .github/workflows/dev-build.yaml | 54 +++++++++++--------------------- 1 file changed, 18 insertions(+), 36 deletions(-) diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml index 1aa41cd72b..60735bcdb6 100644 --- a/.github/workflows/dev-build.yaml +++ b/.github/workflows/dev-build.yaml @@ -92,41 +92,23 @@ jobs: echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT shell: bash - - cve_matrix: - strategy: - matrix: - cve: ${{ fromJSON(format('[{0}]', steps.cve-list.outputs.CVE_EXCEPTIONS)) }} - steps: - - name: Add VEX attestations - uses: docker/scout-cli-action@v1 - with: - command: attestation-add - only-severity: critical,high - tags: ${{ steps.meta.outputs.tags }} - file: ./docker/vex/${{ matrix.cve }}.vex.json - predicate-type: https://openvex.dev/ns/v0.2.0 - # About VEX attestations https://docs.docker.com/scout/explore/exceptions/ # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications - # - name: Add VEX attestations - # uses: docker/scout-cli-action@v1 - # with: - # command: attestation-add - # only-severity: critical,high - # tags: ${{ steps.meta.outputs.tags }} - # file: ./docker/vex/${{ matrix.cve }}.vex.json - # predicate-type: https://openvex.dev/ns/v0.2.0 strategy: - - # run: | - # echo $CVE_EXCEPTIONS - # curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- - # for cve in $CVE_EXCEPTIONS; do - # for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do - # echo "Attaching VEX exception $cve to $tag" - # docker scout attestation add \ - # --file "./docker/vex/$cve.vex.json" \ - # --predicate-type https://openvex.dev/ns/v0.2.0 \ - # $tag - # done - # done + # Fixed to use v1.15.1 of scout-cli as v1.16.0 install script is broken + # https://github.com/docker/scout-cli + - name: Add VEX attestations + env: + CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} + run: | + echo $CVE_EXCEPTIONS + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- v1.15.1 + for cve in $CVE_EXCEPTIONS; do + for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do + echo "Attaching VEX exception $cve to $tag" + docker scout attestation add \ + --file "./docker/vex/$cve.vex.json" \ + --predicate-type https://openvex.dev/ns/v0.2.0 \ + $tag + done + done + shell: bash \ No newline at end of file From 3c56f6550adf513bd47173db762d060d52fa136a Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Thu, 12 Dec 2024 14:51:37 -0800 Subject: [PATCH 6/6] patch all build docker-scount flows --- .github/workflows/build-and-push-image-semver.yaml | 2 +- .github/workflows/build-and-push-image.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push-image-semver.yaml b/.github/workflows/build-and-push-image-semver.yaml index 8fb6d35c28..4ccb373e37 100644 --- a/.github/workflows/build-and-push-image-semver.yaml +++ b/.github/workflows/build-and-push-image-semver.yaml @@ -102,7 +102,7 @@ jobs: CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} run: | echo $CVE_EXCEPTIONS - curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- v1.15.1 for cve in $CVE_EXCEPTIONS; do for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do echo "Attaching VEX exception $cve to $tag" diff --git a/.github/workflows/build-and-push-image.yaml b/.github/workflows/build-and-push-image.yaml index 591cf63d03..f53855796f 100644 --- a/.github/workflows/build-and-push-image.yaml +++ b/.github/workflows/build-and-push-image.yaml @@ -121,7 +121,7 @@ jobs: CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} run: | echo $CVE_EXCEPTIONS - curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- v1.15.1 for cve in $CVE_EXCEPTIONS; do for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do echo "Attaching VEX exception $cve to $tag"