vulnerability scans #2432
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: vulnerability scans | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
paths: | |
- '.github/workflows/vuln-scans.yml' | |
- '.grype.yaml' | |
- '.trivyignore' | |
- '.snyk' | |
schedule: | |
- cron: '0 0 * * 1-5' # Every weekday at midnight UTC | |
env: | |
GO_VERSION: '1.22.7' | |
concurrency: | |
group: vuln-scans-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
trivy-fs-scan: | |
# Use 20.04.5 until https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/16450 is resolved | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Run trivy filesystem scan | |
uses: aquasecurity/trivy-action@0.28.0 | |
with: | |
version: v0.57.1 | |
scan-type: 'fs' | |
scan-ref: '.' | |
skip-dirs: 'deployments,examples,instrumentation/packaging,packaging,tests' | |
format: 'table' | |
exit-code: '1' | |
severity: 'CRITICAL,HIGH' | |
ignore-unfixed: true | |
anchore-fs-scan: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: anchore/scan-action@v5 | |
with: | |
severity-cutoff: "high" | |
only-fixed: true | |
add-cpes-if-none: true | |
output-format: "table" | |
path: "." | |
docker-otelcol: | |
runs-on: ${{ fromJSON('["ubuntu-20.04", "otel-arm64"]')[matrix.ARCH == 'arm64'] }} | |
strategy: | |
matrix: | |
ARCH: [ "amd64", "arm64" ] | |
FIPS: [ true, false ] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache-dependency-path: '**/go.sum' | |
- uses: actions/cache@v4 | |
id: bundle-cache | |
with: | |
path: .cache/buildx/agent-bundle-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
key: agent-bundle-buildx-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }}-${{ hashFiles('packaging/bundle/**') }} | |
restore-keys: | | |
agent-bundle-buildx-${{ matrix.ARCH }}-${{ matrix.FIPS == true && '-fips' || '' }} | |
- run: | | |
make docker-otelcol ARCH=${{ matrix.ARCH }} FIPS="${{ matrix.FIPS }}" | |
env: | |
DOCKER_BUILDKIT: '1' | |
BUNDLE_CACHE_HIT: "${{ steps.bundle-cache.outputs.cache-hit }}" | |
- run: mkdir -p dist && docker save -o dist/image.tar otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
path: ./dist | |
binaries-windows_amd64: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Check out the codebase. | |
uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache-dependency-path: '**/go.sum' | |
- run: make binaries-windows_amd64 | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: binaries-windows_amd64 | |
path: | | |
./bin/* | |
trivy-image-scan: | |
# Use 20.04.5 until https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/16450 is resolved | |
runs-on: ubuntu-20.04 | |
needs: docker-otelcol | |
strategy: | |
matrix: | |
ARCH: [ "amd64", "arm64" ] | |
FIPS: [ true, false ] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: docker/setup-qemu-action@v3 | |
if: ${{ matrix.ARCH != 'amd64' }} | |
with: | |
platforms: ${{ matrix.ARCH }} | |
image: tonistiigi/binfmt:qemu-v7.0.0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
path: ./dist | |
- run: docker load -i ./dist/image.tar | |
- name: Run trivy image scan | |
uses: aquasecurity/trivy-action@0.28.0 | |
with: | |
version: v0.57.1 | |
scan-type: 'image' | |
image-ref: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest" | |
format: 'table' | |
exit-code: '1' | |
severity: 'CRITICAL,HIGH' | |
ignore-unfixed: true | |
anchore-image-scan: | |
runs-on: ubuntu-20.04 | |
needs: docker-otelcol | |
strategy: | |
matrix: | |
ARCH: [ "amd64", "arm64" ] | |
FIPS: [ true, false ] | |
fail-fast: false | |
env: | |
GRYPE_PLATFORM: ${{ matrix.ARCH }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: docker/setup-qemu-action@v3 | |
if: ${{ matrix.ARCH != 'amd64' }} | |
with: | |
platforms: ${{ matrix.ARCH }} | |
image: tonistiigi/binfmt:qemu-v7.0.0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
path: ./dist | |
- run: docker load -i ./dist/image.tar | |
- uses: anchore/scan-action@v5 | |
with: | |
severity-cutoff: "high" | |
only-fixed: true | |
add-cpes-if-none: true | |
output-format: "table" | |
image: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest" | |
anchore-win-image-scan: | |
runs-on: ${{ matrix.OS }} | |
needs: [ "binaries-windows_amd64" ] | |
strategy: | |
matrix: | |
OS: [ windows-2019, windows-2022 ] | |
fail-fast: false | |
env: | |
PIP_CACHE_DIR: ${{ github.workspace }}/.cache/pip | |
steps: | |
- name: Check out the codebase. | |
uses: actions/checkout@v4 | |
- name: Downloading binaries-windows_amd64 | |
uses: actions/download-artifact@v4 | |
with: | |
name: binaries-windows_amd64 | |
path: ./bin | |
- uses: actions/cache@v4 | |
with: | |
path: ${{ env.PIP_CACHE_DIR }} | |
key: agent-bundle-windows-pip-${{ hashFiles('packaging/bundle/collectd-plugins.yaml', 'packaging/bundle/scripts/requirements.txt') }} | |
- run: ./packaging/bundle/scripts/windows/make.ps1 bundle | |
- name: Build docker image | |
run: | | |
$ErrorActionPreference = 'Stop' | |
Copy-Item .\bin\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe | |
Copy-Item .\dist\agent-bundle_windows_amd64.zip .\cmd\otelcol\agent-bundle_windows_amd64.zip | |
if ("${{ matrix.OS }}" -eq "windows-2019") { | |
$base_image = "mcr.microsoft.com/windows/servercore:ltsc2019" | |
} else { | |
$base_image = "mcr.microsoft.com/windows/servercore:ltsc2022" | |
} | |
docker build -t otelcol-windows --pull --build-arg BASE_IMAGE=${base_image} --build-arg JMX_METRIC_GATHERER_RELEASE=$(Get-Content packaging\jmx-metric-gatherer-release.txt) -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\ | |
Remove-Item .\cmd\otelcol\otelcol.exe | |
Remove-Item .\cmd\otelcol\agent-bundle_windows_amd64.zip | |
- uses: anchore/scan-action@v5 | |
with: | |
severity-cutoff: "high" | |
only-fixed: true | |
add-cpes-if-none: true | |
output-format: "table" | |
image: "otelcol-windows:latest" | |
check-snyk-token: | |
runs-on: ubuntu-latest | |
outputs: | |
has-snyk-token: ${{ steps.snyk-token-check.outputs.defined }} | |
steps: | |
- name: Check for snyk token | |
id: snyk-token-check | |
run: | | |
if [ -n "${{ secrets.SNYK_TOKEN }}" ]; then | |
echo "defined=true" >> $GITHUB_OUTPUT | |
else | |
echo "defined=false" >> $GITHUB_OUTPUT | |
fi | |
snyk-fs-scan: | |
runs-on: ubuntu-latest | |
needs: check-snyk-token | |
if: ${{ needs.check-snyk-token.outputs.has-snyk-token == 'true' }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Run Snyk to check for vulnerabilities | |
uses: snyk/actions/golang@master | |
continue-on-error: true # To make sure that SARIF upload gets called | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
command: code test | |
args: --severity-threshold=high --sarif-file-output=snyk.sarif --policy-path=.snyk | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: snyk.sarif | |
snyk-docker-scan: | |
runs-on: ubuntu-latest | |
needs: [docker-otelcol, check-snyk-token] | |
if: ${{ needs.check-snyk-token.outputs.has-snyk-token == 'true' }} | |
strategy: | |
matrix: | |
ARCH: [ "amd64", "arm64" ] | |
FIPS: [ true, false ] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: docker/setup-qemu-action@v3 | |
if: ${{ matrix.ARCH != 'amd64' }} | |
with: | |
platforms: ${{ matrix.ARCH }} | |
image: tonistiigi/binfmt:qemu-v7.0.0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
path: ./dist | |
- run: docker load -i ./dist/image.tar | |
- uses: snyk/actions/docker@master | |
continue-on-error: true # To make sure that SARIF upload gets called | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest" | |
args: --file=cmd/otelcol/Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif --policy-path=.snyk --platform=linux/${{ matrix.ARCH }} | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: snyk.sarif | |
govulncheck: | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
- name: Setup Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache-dependency-path: '**/go.sum' | |
- name: Install Tools | |
run: make install-tools | |
- name: Run `govulncheck` | |
run: govulncheck -format sarif ./... > govulncheck.sarif | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: govulncheck.sarif |