Skip to content

vulnerability scans #2343

vulnerability scans

vulnerability scans #2343

Workflow file for this run

name: vulnerability scans
on:
push:
branches:
- main
pull_request:
paths:
- '.github/workflows/vuln-scans.yml'
- '.grype.yaml'
- '.trivyignore'
- '.snyk'
schedule:
- cron: '0 0 * * 1-5' # Every weekday at midnight UTC
env:
GO_VERSION: '1.22.7'
concurrency:
group: vuln-scans-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
trivy-fs-scan:
# Use 20.04.5 until https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/16450 is resolved
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- name: Run trivy filesystem scan
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
skip-dirs: 'deployments,examples,instrumentation/packaging,packaging,tests'
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
anchore-fs-scan:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: anchore/scan-action@v5
with:
severity-cutoff: "high"
only-fixed: true
add-cpes-if-none: true
output-format: "table"
path: "."
docker-otelcol:
runs-on: ${{ fromJSON('["ubuntu-20.04", "otel-arm64"]')[matrix.ARCH == 'arm64'] }}
strategy:
matrix:
ARCH: [ "amd64", "arm64" ]
FIPS: [ true, false ]
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: '**/go.sum'
- uses: actions/cache@v4
id: bundle-cache
with:
path: .cache/buildx/agent-bundle-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }}
key: agent-bundle-buildx-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }}-${{ hashFiles('packaging/bundle/**') }}
restore-keys: |
agent-bundle-buildx-${{ matrix.ARCH }}-${{ matrix.FIPS == true && '-fips' || '' }}
- run: |
make docker-otelcol ARCH=${{ matrix.ARCH }} FIPS="${{ matrix.FIPS }}"
env:
DOCKER_BUILDKIT: '1'
BUNDLE_CACHE_HIT: "${{ steps.bundle-cache.outputs.cache-hit }}"
- run: mkdir -p dist && docker save -o dist/image.tar otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest
- uses: actions/upload-artifact@v4
with:
name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }}
path: ./dist
binaries-windows_amd64:
runs-on: ubuntu-20.04
steps:
- name: Check out the codebase.
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: '**/go.sum'
- run: make binaries-windows_amd64
- uses: actions/upload-artifact@v4
with:
name: binaries-windows_amd64
path: |
./bin/*
trivy-image-scan:
# Use 20.04.5 until https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/16450 is resolved
runs-on: ubuntu-20.04
needs: docker-otelcol
strategy:
matrix:
ARCH: [ "amd64", "arm64" ]
FIPS: [ true, false ]
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
if: ${{ matrix.ARCH != 'amd64' }}
with:
platforms: ${{ matrix.ARCH }}
image: tonistiigi/binfmt:qemu-v7.0.0
- uses: actions/download-artifact@v4
with:
name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }}
path: ./dist
- run: docker load -i ./dist/image.tar
- name: Run trivy image scan
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest"
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
anchore-image-scan:
runs-on: ubuntu-20.04
needs: docker-otelcol
strategy:
matrix:
ARCH: [ "amd64", "arm64" ]
FIPS: [ true, false ]
fail-fast: false
env:
GRYPE_PLATFORM: ${{ matrix.ARCH }}
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
if: ${{ matrix.ARCH != 'amd64' }}
with:
platforms: ${{ matrix.ARCH }}
image: tonistiigi/binfmt:qemu-v7.0.0
- uses: actions/download-artifact@v4
with:
name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }}
path: ./dist
- run: docker load -i ./dist/image.tar
- uses: anchore/scan-action@v5
with:
severity-cutoff: "high"
only-fixed: true
add-cpes-if-none: true
output-format: "table"
image: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest"
anchore-win-image-scan:
runs-on: ${{ matrix.OS }}
needs: [ "binaries-windows_amd64" ]
strategy:
matrix:
OS: [ windows-2019, windows-2022 ]
fail-fast: false
env:
PIP_CACHE_DIR: ${{ github.workspace }}/.cache/pip
steps:
- name: Check out the codebase.
uses: actions/checkout@v4
- name: Downloading binaries-windows_amd64
uses: actions/download-artifact@v4
with:
name: binaries-windows_amd64
path: ./bin
- uses: actions/cache@v4
with:
path: ${{ env.PIP_CACHE_DIR }}
key: agent-bundle-windows-pip-${{ hashFiles('packaging/bundle/collectd-plugins.yaml', 'packaging/bundle/scripts/requirements.txt') }}
- run: ./packaging/bundle/scripts/windows/make.ps1 bundle
- name: Build docker image
run: |
$ErrorActionPreference = 'Stop'
Copy-Item .\bin\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe
Copy-Item .\dist\agent-bundle_windows_amd64.zip .\cmd\otelcol\agent-bundle_windows_amd64.zip
if ("${{ matrix.OS }}" -eq "windows-2019") {
$base_image = "mcr.microsoft.com/windows/servercore:ltsc2019"
} else {
$base_image = "mcr.microsoft.com/windows/servercore:ltsc2022"
}
docker build -t otelcol-windows --pull --build-arg BASE_IMAGE=${base_image} --build-arg JMX_METRIC_GATHERER_RELEASE=$(Get-Content packaging\jmx-metric-gatherer-release.txt) -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\
Remove-Item .\cmd\otelcol\otelcol.exe
Remove-Item .\cmd\otelcol\agent-bundle_windows_amd64.zip
- uses: anchore/scan-action@v5
with:
severity-cutoff: "high"
only-fixed: true
add-cpes-if-none: true
output-format: "table"
image: "otelcol-windows:latest"
check-snyk-token:
runs-on: ubuntu-latest
outputs:
has-snyk-token: ${{ steps.snyk-token-check.outputs.defined }}
steps:
- name: Check for snyk token
id: snyk-token-check
run: |
if [ -n "${{ secrets.SNYK_TOKEN }}" ]; then
echo "defined=true" >> $GITHUB_OUTPUT
else
echo "defined=false" >> $GITHUB_OUTPUT
fi
snyk-fs-scan:
runs-on: ubuntu-latest
needs: check-snyk-token
if: ${{ needs.check-snyk-token.outputs.has-snyk-token == 'true' }}
steps:
- uses: actions/checkout@v4
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/golang@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: code test
args: --severity-threshold=high --sarif-file-output=snyk.sarif --policy-path=.snyk
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
snyk-docker-scan:
runs-on: ubuntu-latest
needs: [docker-otelcol, check-snyk-token]
if: ${{ needs.check-snyk-token.outputs.has-snyk-token == 'true' }}
strategy:
matrix:
ARCH: [ "amd64", "arm64" ]
FIPS: [ true, false ]
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
if: ${{ matrix.ARCH != 'amd64' }}
with:
platforms: ${{ matrix.ARCH }}
image: tonistiigi/binfmt:qemu-v7.0.0
- uses: actions/download-artifact@v4
with:
name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }}
path: ./dist
- run: docker load -i ./dist/image.tar
- uses: snyk/actions/docker@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest"
args: --file=cmd/otelcol/Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif --policy-path=.snyk --platform=linux/${{ matrix.ARCH }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
govulncheck:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: '**/go.sum'
- name: Install Tools
run: make install-tools
- name: Run `govulncheck`
run: govulncheck -format sarif ./... > govulncheck.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: govulncheck.sarif