Skip to content
This repository has been archived by the owner on Sep 18, 2024. It is now read-only.

Commit

Permalink
Rework CVE scanning strategy using Trivy
Browse files Browse the repository at this point in the history
For branches other than 'main' and pull requests:
1. Build all images in one go
2. Scan each built image
  * use 'table' format, so the output is publicly visible
  * if any CVE is found in the given image, exit with exit code 1

For the 'main' branch:
1. Build all images in one go
2. Scan each built image
  * use 'table' format, so the output is publicly visible
  * if any CVE is found in the given image, exit with exit code 1
3. If no CVEs are found, push built images as 'latest'

For release tags:
Pull 'latest' images, retag and push them as the Git tag

Signed-off-by: Timo Reichl <[email protected]>
  • Loading branch information
Timo Reichl committed Jun 15, 2022
1 parent f9dd778 commit 7cef458
Show file tree
Hide file tree
Showing 5 changed files with 217 additions and 87 deletions.
15 changes: 0 additions & 15 deletions .github/scripts/docker_retag.sh

This file was deleted.

103 changes: 98 additions & 5 deletions .github/workflows/docker-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,20 +20,113 @@ jobs:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- name: Build base images

- name: Build all images
run: |
for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do
docker-compose build ${docker_base_image_type}
done
- name: Build HLDS-based game images
run: |
for docker_hlds_game in $(ls image/games/hlds); do
docker-compose build ${docker_hlds_game}
done
- name: Build SRCDS-based game images
run: |
for docker_srcds_game in $(ls image/games/srcds); do
docker-compose build ${docker_srcds_game}
done
- name: Trivy CVE scan - base
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:base"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - srcds
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:srcds"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - hlds
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:hlds"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/hlds/cs
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:cs"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/bms
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:bms"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/csgo
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:csgo"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/css
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:css"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/dods
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:dods"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/gm
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:gm"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/hl2mp
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:hl2mp"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/l4d
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:l4d"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/l4d2
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:l4d2"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
149 changes: 109 additions & 40 deletions .github/workflows/docker-latest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,58 +19,127 @@ jobs:
permissions:
contents: read
packages: write
security-events: write
steps:
- uses: actions/checkout@v3

- name: Log in to GHCR
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

- name: Log in to Docker Hub
run: echo "${{ secrets.DOCKERHUB_ACCESS }}" | docker login docker.io -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin

- name: Build and push latest base images
- name: Build all images
run: |
for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do
docker-compose build ${docker_base_image_type}
docker_image_types="${DOCKER_IMAGE_BASE_ORDER} $(ls image/games/hlds) $(ls image/games/srcds)"
bash ${DOCKER_RETAG_SH} \
${REGISTRY_IMAGE}:${docker_base_image_type} \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest \
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest
for docker_image_type in ${docker_image_types}; do
docker-compose build ${docker_image_type}
done
- name: Build and push latest HLDS-based game images
run: |
for docker_hlds_game in $(ls image/games/hlds); do
docker-compose build ${docker_hlds_game}
- name: Trivy CVE scan - base
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:base"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

bash ${DOCKER_RETAG_SH} \
${REGISTRY_IMAGE}:${docker_hlds_game} \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_hlds_game}-latest \
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_hlds_game}-latest
done
- name: Trivy CVE scan - srcds
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:srcds"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Build and push latest SRCDS-based game images
run: |
for docker_srcds_game in $(ls image/games/srcds); do
docker-compose build ${docker_srcds_game}
- name: Trivy CVE scan - hlds
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:hlds"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

bash ${DOCKER_RETAG_SH} \
${REGISTRY_IMAGE}:${docker_srcds_game} \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_srcds_game}-latest \
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_srcds_game}-latest
done
- name: Trivy CVE scan - games/hlds/cs
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:cs"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/bms
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:bms"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/csgo
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:csgo"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Run Trivy vulnerability scanner - SRCDS image
uses: aquasecurity/trivy-action@4b9b6fb4ef28b31450391a93ade098bb00de584e
- name: Trivy CVE scan - games/srcds/css
uses: aquasecurity/trivy-action@0.4.0
with:
image-ref: "${{ env.GHCR_PREFIX }}:srcds-latest"
format: 'sarif'
output: 'trivy-results.sarif'
image-ref: "${{ env.REGISTRY_IMAGE }}:css"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
- name: Trivy CVE scan - games/srcds/dods
uses: aquasecurity/trivy-action@0.4.0
with:
sarif_file: 'trivy-results.sarif'
image-ref: "${{ env.REGISTRY_IMAGE }}:dods"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/gm
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:gm"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/hl2mp
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:hl2mp"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/l4d
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:l4d"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Trivy CVE scan - games/srcds/l4d2
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY_IMAGE }}:l4d2"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'

- name: Log in to GHCR
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

- name: Log in to Docker Hub
run: echo "${{ secrets.DOCKERHUB_ACCESS }}" | docker login docker.io -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin

- name: Push latest images to registries
run: |
docker_image_types="${DOCKER_IMAGE_BASE_ORDER} $(ls image/games/hlds) $(ls image/games/srcds)"
for docker_image_type in ${docker_image_types}; do
docker tag ${REGISTRY_IMAGE}:${docker_image_type} ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest
docker push ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest
docker tag ${REGISTRY_IMAGE}:${docker_image_type} ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest
docker push ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest
done
35 changes: 8 additions & 27 deletions .github/workflows/docker-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,35 +29,16 @@ jobs:
- name: Log in to Docker Hub
run: echo "${{ secrets.DOCKERHUB_ACCESS }}" | docker login docker.io -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin

- name: Publish tagged base images
- name: Push tagged images to registries
run: |
for docker_base_image_type in ${DOCKER_IMAGE_BASE_ORDER}; do
docker pull "${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest"
docker_image_types="${DOCKER_IMAGE_BASE_ORDER} $(ls image/games/hlds) $(ls image/games/srcds)"
bash ${DOCKER_RETAG_SH} \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-latest \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }} \
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_base_image_type}-${{ github.ref_name }}
done
- name: Publish tagged HLDS-based game images
run: |
for docker_hlds_game in $(ls image/games/hlds); do
docker pull "${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_hlds_game}-latest"
for docker_image_type in ${docker_image_types}; do
docker pull ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest
bash ${DOCKER_RETAG_SH} \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_hlds_game}-latest \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_hlds_game}-${{ github.ref_name }} \
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_hlds_game}-${{ github.ref_name }}
done
- name: Publish tagged SRCDS-based game images
run: |
for docker_srcds_game in $(ls image/games/srcds); do
docker pull "${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_srcds_game}-latest"
docker tag ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-${{ github.ref_name }}
docker push ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-${{ github.ref_name }}
bash ${DOCKER_RETAG_SH} \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_srcds_game}-latest \
${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_srcds_game}-${{ github.ref_name }} \
${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_srcds_game}-${{ github.ref_name }}
docker tag ${GHCR_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-latest ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-${{ github.ref_name }}
docker push ${DOCKER_HUB_PREFIX}/${REGISTRY_IMAGE}:${docker_image_type}-${{ github.ref_name }}
done
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ The GitHub Actions workflows are setup in the following way:
- Pushes to the `main` branch lead to the image tags `ghcr.io/thetredev/steamcmd:<image>-latest`, where `<image>` is one of the following: `base`, `srcds`, and any game servers a `Dockerfile` is provided for (see *the supported game server images* above)
- Pushes of tags lead to retagging the `ghcr.io/thetredev/steamcmd:<image>-latest` images to `ghcr.io/thetredev/steamcmd:<image>-<tag>`

All image builds are scanned for CVEs and only pushed as `latest` or the given tag if no CVEs are found. The scans can be viewed publicly [from within the Actions tab](https://github.com/thetredev/steamcmd/actions) at job **build**.

## Known bugs
See the [project issues](https://github.com/thetredev/steamcmd/issues).

Expand Down

0 comments on commit 7cef458

Please sign in to comment.