From cef26e548da1d4667063777cf6c1681a8dcbd9c1 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Fri, 11 Jul 2025 16:58:44 +0000 Subject: [PATCH 01/19] [trivy] Include vizier and cloud dependency images in image scan Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 15 +++++++++++++ k8s/cloud/BUILD.bazel | 33 +++++++++++++++++++++++++++++ k8s/cloud_deps/BUILD.bazel | 32 ++++++++++++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 k8s/cloud_deps/BUILD.bazel diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 7527326ea7e..195d2b59114 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -48,6 +48,21 @@ jobs: run: | mkdir -p sarif/${{ matrix.artifact }} ./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' + + # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates + # and requires some additional work. + ./scripts/bazel_ignore_codes.sh query //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list + if [ $? -neq 0 ]; then + echo "Bazel built images comprise all images for ${{ matrix.artifact }}." + exit 0 + fi + + echo "Found non bazel images for ${{ matrix.artifact }}." + ./scripts/bazel_ignore_codes.sh build \ + //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list + + # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-) + cat ./bazel-bin/k8s/$${ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' # yamllint enable rule:line-length - run: | for f in "sarif/${{ matrix.artifact }}/"*; do diff --git a/k8s/cloud/BUILD.bazel b/k8s/cloud/BUILD.bazel index f253bb530ca..783fd704511 100644 --- a/k8s/cloud/BUILD.bazel +++ b/k8s/cloud/BUILD.bazel @@ -79,6 +79,26 @@ kustomize_build( ], ) +kustomize_build( + name = "pixie_oss_cloud", + srcs = glob( + [ + "base/**/*.yaml", + "overlays/**/*.yaml", + "public/**/*.yaml", + ], + exclude = ["public/kustomization.yaml"], + ), + kustomization = "public/kustomization.yaml", + replacements = image_replacements( + image_map = CLOUD_IMAGE_TO_LABEL, + ), + toolchains = [ + "//k8s:image_prefix", + "//k8s:bundle_version", + ], +) + container_bundle( name = "image_bundle", images = CLOUD_IMAGE_TO_LABEL, @@ -102,3 +122,16 @@ container_push( bundle = ":image_bundle", format = "Docker", ) + +genrule( + name = "cloud_image_list", + srcs = [ + ":pixie_oss_cloud", + "//k8s/cloud_deps:public", + ], + outs = ["cloud_image_list.txt"], + cmd = """ + $(location @com_github_mikefarah_yq_v4//:v4) '..|.image?|select(.|type == "!!str")' -o json $(SRCS) | sort | uniq > $@ + """, + tools = ["@com_github_mikefarah_yq_v4//:v4"], +) diff --git a/k8s/cloud_deps/BUILD.bazel b/k8s/cloud_deps/BUILD.bazel new file mode 100644 index 00000000000..6cea0c40099 --- /dev/null +++ b/k8s/cloud_deps/BUILD.bazel @@ -0,0 +1,32 @@ +# Copyright 2018- The Pixie Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +load("//bazel:kustomize.bzl", "kustomize_build") + +package(default_visibility = ["//visibility:public"]) + +kustomize_build( + name = "public", + srcs = glob( + [ + "base/**/*.yaml", + "dev/**/*.yaml", + "public/**/*.yaml", + ], + exclude = ["public/kustomization.yaml"], + ), + kustomization = "public/kustomization.yaml", +) From 06986058194be3a58ddfeb63396c3f2c9fd5fc9e Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Fri, 11 Jul 2025 16:59:20 +0000 Subject: [PATCH 02/19] Trigger test Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 195d2b59114..9e1b651dad2 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -4,6 +4,7 @@ on: push: branches: - main + - ddelnano/scan-pixie-deps-with-trivy schedule: - cron: "37 19 * * *" permissions: From 61fc0e79d4aeea026533a9a73bf3d973d2ccb8f1 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Fri, 11 Jul 2025 20:08:11 +0000 Subject: [PATCH 03/19] Fix linting Signed-off-by: Dom Del Nano --- k8s/cloud_deps/BUILD.bazel | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/k8s/cloud_deps/BUILD.bazel b/k8s/cloud_deps/BUILD.bazel index 6cea0c40099..baeb9354109 100644 --- a/k8s/cloud_deps/BUILD.bazel +++ b/k8s/cloud_deps/BUILD.bazel @@ -21,11 +21,11 @@ package(default_visibility = ["//visibility:public"]) kustomize_build( name = "public", srcs = glob( - [ - "base/**/*.yaml", - "dev/**/*.yaml", - "public/**/*.yaml", - ], + [ + "base/**/*.yaml", + "dev/**/*.yaml", + "public/**/*.yaml", + ], exclude = ["public/kustomization.yaml"], ), kustomization = "public/kustomization.yaml", From f2206bfd2ba31d791af8042686103e6bfbbe54fb Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Fri, 11 Jul 2025 20:45:31 +0000 Subject: [PATCH 04/19] Fix issues from first action trigger Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 9e1b651dad2..ee1a88a82a7 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -53,7 +53,8 @@ jobs: # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates # and requires some additional work. ./scripts/bazel_ignore_codes.sh query //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list - if [ $? -neq 0 ]; then + query_exit_code=$? + if [ $query_exit_code -neq 0 ]; then echo "Bazel built images comprise all images for ${{ matrix.artifact }}." exit 0 fi @@ -63,7 +64,7 @@ jobs: //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-) - cat ./bazel-bin/k8s/$${ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' + cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' # yamllint enable rule:line-length - run: | for f in "sarif/${{ matrix.artifact }}/"*; do From cb3d8ac34c7ca6e28c8944fb5e36ab4baf818e35 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Fri, 11 Jul 2025 21:16:43 +0000 Subject: [PATCH 05/19] Fix operator opt out check Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index ee1a88a82a7..dd9a51ae288 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -52,10 +52,8 @@ jobs: # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates # and requires some additional work. - ./scripts/bazel_ignore_codes.sh query //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list - query_exit_code=$? - if [ $query_exit_code -neq 0 ]; then - echo "Bazel built images comprise all images for ${{ matrix.artifact }}." + if [ "${{ matrix.artifact }}" = "operator" ]; then + echo "Skipping operator image scan for now." exit 0 fi From 747b8ceb8812c3e2057fe67b5e29c5376dd5b16f Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Mon, 14 Jul 2025 13:32:26 +0000 Subject: [PATCH 06/19] Upload each sarif file independently with a category to address upcoming deprecation Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 57 +++++++++++++++++++++++++++-- 1 file changed, 54 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index dd9a51ae288..cb7dbe64bd2 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -14,13 +14,16 @@ jobs: uses: ./.github/workflows/get_image.yaml with: image-base-name: "dev_image_with_extras" - image-scan: + generate-sarif: strategy: fail-fast: false matrix: artifact: [cloud, operator, vizier] runs-on: oracle-8cpu-32gb-x86-64 needs: get-dev-image + outputs: + matrix: ${{ steps.list-sarifs.outputs.matrix }} + has-sarifs: ${{ steps.list-sarifs.outputs.has-sarifs }} container: image: ${{ needs.get-dev-image.outputs.image-with-tag }} permissions: @@ -69,7 +72,55 @@ jobs: jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp mv tmp "$f" done + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: sarif-${{ matrix.artifact }} + path: sarif/ + retention-days: 1 + - id: list-sarifs + run: | + # Use jq to build the matrix JSON dynamically + # --jsonargs passes each SARIF file as a separate input to jq + # For each input file, create an object with file, category, and artifact fields + sarif_files=$(find sarif/${{ matrix.artifact }}/ -name "*.sarif" -type f 2>/dev/null || true) + + if [ -z "$sarif_files" ]; then + echo "matrix={\"include\":[]}" >> $GITHUB_OUTPUT + echo "has-sarifs=false" >> $GITHUB_OUTPUT + else + matrix_json=$(jq -n --arg artifact "${{ matrix.artifact }}" ' + { + include: [ + inputs as $f | { + file: $f, + category: ("trivy-images-" + $artifact + "-" + ($f | split("/")[-1] | split(".")[0])), + artifact: ("sarif-" + $artifact) + } + ] + }' --jsonargs $sarif_files | jq -c '.') + + echo "matrix=$matrix_json" >> $GITHUB_OUTPUT + echo "has-sarifs=true" >> $GITHUB_OUTPUT + fi + + upload-sarif: + needs: generate-sarif + if: needs.generate-sarif.outputs.has-sarifs == 'true' + strategy: + matrix: ${{ fromJson(needs.generate-sarif.outputs.matrix) }} + runs-on: oracle-8cpu-32gb-x86-64 + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: ${{ matrix.artifact }} - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: - sarif_file: sarif/${{ matrix.artifact }} - category: trivy-images + sarif_file: ${{ matrix.file }} + category: ${{ matrix.category }} From ffe8c8968ae1eab9942fcff1f11ebfb11c141fff Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Mon, 14 Jul 2025 17:28:56 +0000 Subject: [PATCH 07/19] Ensure that the matrix generation originates from a single job Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 63 +++++++++++++++++++---------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index cb7dbe64bd2..6d57936336b 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -21,9 +21,6 @@ jobs: artifact: [cloud, operator, vizier] runs-on: oracle-8cpu-32gb-x86-64 needs: get-dev-image - outputs: - matrix: ${{ steps.list-sarifs.outputs.matrix }} - has-sarifs: ${{ steps.list-sarifs.outputs.has-sarifs }} container: image: ${{ needs.get-dev-image.outputs.image-with-tag }} permissions: @@ -78,37 +75,59 @@ jobs: name: sarif-${{ matrix.artifact }} path: sarif/ retention-days: 1 - - id: list-sarifs + + collect-sarifs: + # GitHub Actions matrix job outputs cannot be directly used as job outputs + # because matrix jobs create multiple output values (one per matrix combination). + # We need a separate job to collect all SARIF files from all artifacts + # and create a single unified matrix for the upload job. + needs: generate-sarif + runs-on: oracle-8cpu-32gb-x86-64 + outputs: + matrix: ${{ steps.combine-sarifs.outputs.matrix }} + has-sarifs: ${{ steps.combine-sarifs.outputs.has-sarifs }} + steps: + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + pattern: sarif-* + merge-multiple: true + - id: combine-sarifs run: | - # Use jq to build the matrix JSON dynamically - # --jsonargs passes each SARIF file as a separate input to jq - # For each input file, create an object with file, category, and artifact fields - sarif_files=$(find sarif/${{ matrix.artifact }}/ -name "*.sarif" -type f 2>/dev/null || true) + # Combine all SARIF files from all artifacts into a single matrix + all_files=() + for artifact in cloud operator vizier; do + if [ -d "sarif/$artifact" ]; then + for f in sarif/$artifact/*.sarif; do + if [ -f "$f" ]; then + all_files+=("$f") + fi + done + fi + done - if [ -z "$sarif_files" ]; then + if [ ${#all_files[@]} -eq 0 ]; then echo "matrix={\"include\":[]}" >> $GITHUB_OUTPUT echo "has-sarifs=false" >> $GITHUB_OUTPUT else - matrix_json=$(jq -n --arg artifact "${{ matrix.artifact }}" ' - { - include: [ - inputs as $f | { - file: $f, - category: ("trivy-images-" + $artifact + "-" + ($f | split("/")[-1] | split(".")[0])), - artifact: ("sarif-" + $artifact) - } - ] - }' --jsonargs $sarif_files | jq -c '.') + matrix_json=$(printf '%s\n' "${all_files[@]}" | jq -R -s ' + split("\n") | map(select(length > 0)) | { + include: map({ + file: ., + category: ("trivy-images-" + (split("/")[1]) + "-" + (split("/")[-1] | split(".")[0])), + artifact: ("sarif-" + (split("/")[1])) + }) + }' | jq -c '.') echo "matrix=$matrix_json" >> $GITHUB_OUTPUT echo "has-sarifs=true" >> $GITHUB_OUTPUT fi upload-sarif: - needs: generate-sarif - if: needs.generate-sarif.outputs.has-sarifs == 'true' + needs: collect-sarifs + if: needs.collect-sarifs.outputs.has-sarifs == 'true' strategy: - matrix: ${{ fromJson(needs.generate-sarif.outputs.matrix) }} + matrix: ${{ fromJson(needs.collect-sarifs.outputs.matrix) }} runs-on: oracle-8cpu-32gb-x86-64 permissions: actions: read From 0137efcfdb72b7c2b0c5569465cf31b45b170718 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Mon, 14 Jul 2025 18:39:42 +0000 Subject: [PATCH 08/19] Handle merge-multipledirectory structure. Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 6d57936336b..950c016cfa2 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -94,17 +94,15 @@ jobs: merge-multiple: true - id: combine-sarifs run: | - # Combine all SARIF files from all artifacts into a single matrix + # With merge-multiple: true, all artifacts are in the same directory + # Find all SARIF files regardless of subdirectory structure all_files=() - for artifact in cloud operator vizier; do - if [ -d "sarif/$artifact" ]; then - for f in sarif/$artifact/*.sarif; do - if [ -f "$f" ]; then - all_files+=("$f") - fi - done - fi - done + while IFS= read -r -d '' file; do + echo "Found file: $file" + all_files+=("$file") + done < <(find . -name "*.sarif" -type f -print0) + + echo "Total files found: ${#all_files[@]}" if [ ${#all_files[@]} -eq 0 ]; then echo "matrix={\"include\":[]}" >> $GITHUB_OUTPUT From 33921a38570eff642527c09096d3fc2abe761210 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Mon, 14 Jul 2025 18:40:00 +0000 Subject: [PATCH 09/19] Add debug logging Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 950c016cfa2..cab1643702b 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -94,6 +94,14 @@ jobs: merge-multiple: true - id: combine-sarifs run: | + # Debug: Show what was downloaded + echo "Current directory structure" + ls -la + echo "Looking for sarif directory" + ls -la sarif/ || echo "No sarif directory found" + echo "All .sarif files" + find . -name "*.sarif" -type f || echo "No SARIF files found anywhere" + # With merge-multiple: true, all artifacts are in the same directory # Find all SARIF files regardless of subdirectory structure all_files=() From 7bbce9a5b3acbdd2aef82315c947a7731561d4cf Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Mon, 14 Jul 2025 19:42:13 +0000 Subject: [PATCH 10/19] Remove debug logging Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index cab1643702b..950c016cfa2 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -94,14 +94,6 @@ jobs: merge-multiple: true - id: combine-sarifs run: | - # Debug: Show what was downloaded - echo "Current directory structure" - ls -la - echo "Looking for sarif directory" - ls -la sarif/ || echo "No sarif directory found" - echo "All .sarif files" - find . -name "*.sarif" -type f || echo "No SARIF files found anywhere" - # With merge-multiple: true, all artifacts are in the same directory # Find all SARIF files regardless of subdirectory structure all_files=() From bcf24622c687e30fa396529f696b018386660260 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 00:35:38 +0000 Subject: [PATCH 11/19] Simplify logic to pass unique category Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 78 +++-------------------------- 1 file changed, 6 insertions(+), 72 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 950c016cfa2..45378ef59c3 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -14,7 +14,7 @@ jobs: uses: ./.github/workflows/get_image.yaml with: image-base-name: "dev_image_with_extras" - generate-sarif: + image-scan: strategy: fail-fast: false matrix: @@ -67,77 +67,11 @@ jobs: - run: | for f in "sarif/${{ matrix.artifact }}/"*; do jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp - mv tmp "$f" + # The runAutomationDetails's id field must contain a unique category as required by the CodeQL SARIF uploader + # This value will be interpreted like so: "${category}/${run_id}" + filename=$(basename "$f")/ + jq --arg id "$filename" '.runAutomationDetails.id = $id/' < tmp > "$f" done - - name: Upload artifacts - uses: actions/upload-artifact@v4 - with: - name: sarif-${{ matrix.artifact }} - path: sarif/ - retention-days: 1 - - collect-sarifs: - # GitHub Actions matrix job outputs cannot be directly used as job outputs - # because matrix jobs create multiple output values (one per matrix combination). - # We need a separate job to collect all SARIF files from all artifacts - # and create a single unified matrix for the upload job. - needs: generate-sarif - runs-on: oracle-8cpu-32gb-x86-64 - outputs: - matrix: ${{ steps.combine-sarifs.outputs.matrix }} - has-sarifs: ${{ steps.combine-sarifs.outputs.has-sarifs }} - steps: - - name: Download all artifacts - uses: actions/download-artifact@v4 - with: - pattern: sarif-* - merge-multiple: true - - id: combine-sarifs - run: | - # With merge-multiple: true, all artifacts are in the same directory - # Find all SARIF files regardless of subdirectory structure - all_files=() - while IFS= read -r -d '' file; do - echo "Found file: $file" - all_files+=("$file") - done < <(find . -name "*.sarif" -type f -print0) - - echo "Total files found: ${#all_files[@]}" - - if [ ${#all_files[@]} -eq 0 ]; then - echo "matrix={\"include\":[]}" >> $GITHUB_OUTPUT - echo "has-sarifs=false" >> $GITHUB_OUTPUT - else - matrix_json=$(printf '%s\n' "${all_files[@]}" | jq -R -s ' - split("\n") | map(select(length > 0)) | { - include: map({ - file: ., - category: ("trivy-images-" + (split("/")[1]) + "-" + (split("/")[-1] | split(".")[0])), - artifact: ("sarif-" + (split("/")[1])) - }) - }' | jq -c '.') - - echo "matrix=$matrix_json" >> $GITHUB_OUTPUT - echo "has-sarifs=true" >> $GITHUB_OUTPUT - fi - - upload-sarif: - needs: collect-sarifs - if: needs.collect-sarifs.outputs.has-sarifs == 'true' - strategy: - matrix: ${{ fromJson(needs.collect-sarifs.outputs.matrix) }} - runs-on: oracle-8cpu-32gb-x86-64 - permissions: - actions: read - contents: read - security-events: write - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Download artifacts - uses: actions/download-artifact@v4 - with: - name: ${{ matrix.artifact }} - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: - sarif_file: ${{ matrix.file }} - category: ${{ matrix.category }} + sarif_file: sarif/${{ matrix.artifact }} From 7e7e83be652bbab355ffec7d3b55f4174fb221b4 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 00:58:41 +0000 Subject: [PATCH 12/19] Remove extraneous trailing slash Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 45378ef59c3..0f3103337bc 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -70,7 +70,7 @@ jobs: # The runAutomationDetails's id field must contain a unique category as required by the CodeQL SARIF uploader # This value will be interpreted like so: "${category}/${run_id}" filename=$(basename "$f")/ - jq --arg id "$filename" '.runAutomationDetails.id = $id/' < tmp > "$f" + jq --arg id "$filename" '.runAutomationDetails.id = $id' < tmp > "$f" done - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: From f007daba931369e8ce2e82c8d32851139999eac3 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 04:52:51 +0000 Subject: [PATCH 13/19] Fix JSON according to json schema validation Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 0f3103337bc..a11454a4550 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -67,10 +67,10 @@ jobs: - run: | for f in "sarif/${{ matrix.artifact }}/"*; do jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp - # The runAutomationDetails's id field must contain a unique category as required by the CodeQL SARIF uploader - # This value will be interpreted like so: "${category}/${run_id}" + # The runAutomationDetails's object must contain a unique category as required by the CodeQL SARIF uploader + # The id value will be interpreted like so: "${category}/${run_id}" filename=$(basename "$f")/ - jq --arg id "$filename" '.runAutomationDetails.id = $id' < tmp > "$f" + jq --arg id "$filename" '.automationDetails.id = $id' < tmp > "$f" done - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: From db48d125a80a1a5a281bc9f80b66c9af3d692b44 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 13:11:05 +0000 Subject: [PATCH 14/19] Use correct path inside of runs array Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index a11454a4550..797c9fa171d 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -70,7 +70,7 @@ jobs: # The runAutomationDetails's object must contain a unique category as required by the CodeQL SARIF uploader # The id value will be interpreted like so: "${category}/${run_id}" filename=$(basename "$f")/ - jq --arg id "$filename" '.automationDetails.id = $id' < tmp > "$f" + jq --arg id "$filename" '.runs[].automationDetails.id = $id' < tmp > "$f" done - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: From 89996a61d0b2801911e981ef49365a054bdca10d Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 16:00:25 +0000 Subject: [PATCH 15/19] Use separate upload job for artifact deps Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 797c9fa171d..1516ee62996 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -62,10 +62,12 @@ jobs: //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-) - cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' + deps_output_dir=sarif/${{ matrix.artifact }}_deps + cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=${deps_output_dir}/$(basename {} | cut -d":" -f1).sarif' # yamllint enable rule:line-length - run: | - for f in "sarif/${{ matrix.artifact }}/"*; do + # Loop through all ${artifact} and ${artifact}_deps sarif files + for f in "sarif/${{ matrix.artifact }}"*/*; do jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp # The runAutomationDetails's object must contain a unique category as required by the CodeQL SARIF uploader # The id value will be interpreted like so: "${category}/${run_id}" @@ -75,3 +77,9 @@ jobs: - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: sarif_file: sarif/${{ matrix.artifact }} + # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates + # and requires some additional work. + - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 + if: ${{ matrix.artifact != 'operator' }} + with: + sarif_file: sarif/${{ matrix.artifact }}_deps From 6bf85bbdda318b9d603e55ad48002039fd84fed8 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 16:34:05 +0000 Subject: [PATCH 16/19] Ensure deps sarif output directory is created Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 1516ee62996..4b7f252ab6a 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -63,6 +63,7 @@ jobs: # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-) deps_output_dir=sarif/${{ matrix.artifact }}_deps + mkdir -p ${deps_output_dir} cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=${deps_output_dir}/$(basename {} | cut -d":" -f1).sarif' # yamllint enable rule:line-length - run: | From 1c936712c2c7a2f329029a2869e27293856a1f97 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 17:56:39 +0000 Subject: [PATCH 17/19] Fix issue with shell variable not accessible to xargs spawned shell Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 4b7f252ab6a..a5a1c80dbb8 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -50,8 +50,8 @@ jobs: mkdir -p sarif/${{ matrix.artifact }} ./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' - # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates - # and requires some additional work. + # TODO(ddelnano): Remove this check once the operator dependency images are supported. + # This requires rendering helm templates and requires some additional work. if [ "${{ matrix.artifact }}" = "operator" ]; then echo "Skipping operator image scan for now." exit 0 @@ -61,10 +61,11 @@ jobs: ./scripts/bazel_ignore_codes.sh build \ //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list + mkdir -p sarif/${{ matrix.artifact }}_deps # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-) - deps_output_dir=sarif/${{ matrix.artifact }}_deps - mkdir -p ${deps_output_dir} - cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=${deps_output_dir}/$(basename {} | cut -d":" -f1).sarif' + # The deps images must have their file named processed differently to avoid conflicts with the image name. For example, + # ory/hydra:v1.9.2-alpine and ory/hydra:v1.9.2-sqlite must not conflict. + cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}_deps/$(basename {} | cut -d"@" -f1 | tr ":" "_").sarif' # yamllint enable rule:line-length - run: | # Loop through all ${artifact} and ${artifact}_deps sarif files @@ -78,8 +79,8 @@ jobs: - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: sarif_file: sarif/${{ matrix.artifact }} - # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates - # and requires some additional work. + # TODO(ddelnano): Remove this check once the operator dependency images are supported. + # This requires rendering helm templates and requires some additional work. - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 if: ${{ matrix.artifact != 'operator' }} with: From 0d5df9abd093433e8cde5988bff5b5f87b7873f1 Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 18:23:52 +0000 Subject: [PATCH 18/19] Opt out of secret scanning to make trivy faster Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index a5a1c80dbb8..706b9b6b251 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -48,7 +48,7 @@ jobs: # yamllint disable rule:line-length run: | mkdir -p sarif/${{ matrix.artifact }} - ./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' + ./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image --scanners vuln {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' # TODO(ddelnano): Remove this check once the operator dependency images are supported. # This requires rendering helm templates and requires some additional work. @@ -65,7 +65,7 @@ jobs: # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-) # The deps images must have their file named processed differently to avoid conflicts with the image name. For example, # ory/hydra:v1.9.2-alpine and ory/hydra:v1.9.2-sqlite must not conflict. - cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}_deps/$(basename {} | cut -d"@" -f1 | tr ":" "_").sarif' + cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image --scanners vuln {} --format=sarif --output=sarif/${{ matrix.artifact }}_deps/$(basename {} | cut -d"@" -f1 | tr ":" "_").sarif' # yamllint enable rule:line-length - run: | # Loop through all ${artifact} and ${artifact}_deps sarif files From 46880d697dc7d0a550d836cca05c5609d3a7326d Mon Sep 17 00:00:00 2001 From: Dom Del Nano Date: Wed, 16 Jul 2025 18:25:17 +0000 Subject: [PATCH 19/19] Remove branch trigger for testing Signed-off-by: Dom Del Nano --- .github/workflows/trivy_images.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml index 706b9b6b251..5e25f4746b9 100644 --- a/.github/workflows/trivy_images.yaml +++ b/.github/workflows/trivy_images.yaml @@ -4,7 +4,6 @@ on: push: branches: - main - - ddelnano/scan-pixie-deps-with-trivy schedule: - cron: "37 19 * * *" permissions: