Merge pull request #154 from SpecterOps/BED-6803

chores: Add a step to scan AzureHound Build Image

Author: ykaiboussiSO

.github/workflows/build.yml

@@ -66,8 +66,95 @@ jobs:
           tags: |
             type=edge,branch=main
             type=sha,prefix=edge-,format=short
+      
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Build Container Image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          build-args: VERSION=v0.0.0-rolling+${{ github.sha }}
+          tags: azurehound # temporary tag to simplify oci conversion
+          labels: ${{ steps.meta.outputs.labels }}
+          push: false
+          secrets: |
+            GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}
+          # Multi-plaform builds can not be loaded into local Docker Daemon 
+          # Must use an Open Container Image to scan for vulnerabilities.
+          outputs: type=oci,dest=/tmp/oci-image.tar
+
+      - name: Upload OCI tarball
+        uses: actions/upload-artifact@v4
+        with:
+          name: oci-image-tar
+          path: /tmp/oci-image.tar
+
+      # Convert OCI Directory to Docker-compatible tar for amd64
+      - name: Convert OCI to Docker tarball
+        run: |
+          set -euo pipefail
+          echo "Converting amd64 image..."
+
+          if ! skopeo copy \
+            --override-arch=amd64 --override-os=linux \
+            oci-archive:/tmp/oci-image.tar \
+            docker-archive:/tmp/converted-amd64.tar; then
+            echo "skopeo copy failed for amd64"
+            exit 1
+          fi
+      
+      - name: Trivy scan for vulnerabilities (AMD64)
+        id: trivy_amd64
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        with:
+          input: /tmp/converted-amd64.tar
+          format: "json"
+          severity: "HIGH,CRITICAL"
+          ignore-unfixed: true
+          cache-dir: /tmp/trivy-cache
+          output: /tmp/trivy-report-amd64.json
+
+      - name: Upload Trivy scan reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-scan-reports
+          path: /tmp/trivy-report-amd64.json
+    
+      - name: Check Trivy Report for HIGH/CRITICAL vulnerabilities (amd64 only)
+        env:
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+        run: |
+          echo "Checking Trivy report for HIGH/CRITICAL vulnerabilities (amd64 only)..."
+
+          # Ensure report exists
+          if [ ! -f /tmp/trivy-report-amd64.json ]; then
+            echo "Error: /tmp/trivy-report-amd64.json not found!"
+            exit 1
+          fi
+
+          # Count vulnerabilities from amd64 report
+          total_vulns=$(jq '[.Results[].Vulnerabilities[]? | select(.Severity=="HIGH" or .Severity=="CRITICAL")] | length' /tmp/trivy-report-amd64.json)
+
+          echo "Event: $GITHUB_EVENT_NAME"
+          echo "Total HIGH/CRITICAL vulnerabilities: $total_vulns"
+
+          if [ "$total_vulns" -gt 0 ]; then
+            # Fail only on push events
+            if [ "$GITHUB_EVENT_NAME" = "push" ]; then
+              echo "Push event detected. Failing the job to block image push."
+              exit 1
+            else
+              echo "Pull request event. Vulnerabilities found, but continuing (non-blocking)."
+            fi
+          else
+            echo "No HIGH/CRITICAL vulnerabilities found. Safe to proceed."
+          fi
+                
+      - name: Push Image
         uses: docker/build-push-action@v6
         with:
           context: .

.github/workflows/vuln-scan.yml

@@ -15,7 +15,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
         with:
           scan-type: 'repo'
           scan-ref: './'