feat: add security report action

Author: paulb

.github/workflows/report-example.yaml

@@ -0,0 +1,29 @@
+name: Example of workflow for security report
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Pull the base image
+      run: docker pull python:3.10-rc-slim
+
+    - name: Build the new image
+      run: docker build -t python:security-test -f example/Dockerfile .
+
+    - name: "Security reports"
+      uses: dreamquark-ai/github-action-security-report@main
+      env:
+        GITHUB_PAT: ${{secrets.SECURITY_REPORT_ACTION_EXAMPLE_PAT}}
+      with:
+        image: 'python'
+        base-tag: 3.10-rc-slim
+        new-tag: 'security-test'
+        orga: 'dreamquark-ai'
+        repo: 'github-action-security-report'
+        pr-nb: ${{ github.event.number }}
+        topic: 'example'

README.md

@@ -0,0 +1,55 @@
+# Dreamquark security report action
+
+This action is meant for generating differntial secirity reports based on [trivy](https://github.com/aquasecurity/trivy) to be published as a comment of a pull request. 
+
+From a base image used as reference, it underlies the new security failures and the one that have been removed after changes in your source code. 
+
+
+## Example of usage
+
+Before calling the action make sure to get the images (the base and the new one) in the pipeline either by pulling or building them.  
+
+```name: Example of workflow for security report
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Pull the base image
+      run: docker pull python:3.10-rc-slim
+
+    - name: Build the new image
+      run: docker build -t python:security-test -f example/Dockerfile .
+
+    - name: "Security reports"
+      uses: dreamquark-ai/github-action-security-report@main
+      env:
+        GITHUB_PAT: ${{secrets.SECURITY_REPORT_ACTION_EXAMPLE_PAT}}
+      with:
+        image: 'python'
+        base-tag: 3.10-rc-slim
+        new-tag: 'security-test'
+        orga: 'dreamquark-ai'
+        repo: 'github-action-security-report'
+        pr-nb: ${{ github.event.number }}
+        topic: 'example'
+```
+
+## Inputs
+
+|   Name  | Type | Default | Required | Description |
+|---    |:-:    |:-: |:-: |:-: |
+image | `string` |  | `true` | The image on which differential reports must be performed |a
+base-tag | `string` | `latest` | `true` | The tag of the base image used as reference |a
+new-tag | `string` | `security-test` | `true` | The tag of the new image used to seek out new and removed vulnerabilities |a
+repo | `string` |  | `true` |  Repository on which the action is triggered |a
+pr-nb | `string` |  | `true` | PR number on which to comment with the security report |a
+topic | `string` | `image` | `true` | The title of the report: used to identify the security report |a
+
+
+

action.yaml

@@ -0,0 +1,57 @@
+name: 'Security report'
+description: 'Compare security reports between PR and develop'
+inputs:
+  image:
+    description: 'Image to perform security scans on'
+    required: true
+  base-tag:
+    description: 'Tag of the base image used as reference'
+    required: true
+    default: 'latest'
+  new-tag:
+    description: 'Tag of the new image on which changes must be detected'
+    required: true
+    default: 'security-test'
+  orga:
+    description: 'Organization name to which the repo belongs'
+    required: true
+    default: 'dreamquark-ai' 
+  repo:
+    description: 'Repository on which the action is triggered'
+    required: true
+  pr-nb:
+    description: 'PR number on which to comment with the security report'
+    required: true
+  topic:
+    description: 'The title of the report: used to identify the security report'
+    default: 'image'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - name: "Install trivy and set up folders"
+      shell: bash
+      run: |
+        mkdir -p ${{ github.action_path }}/reports
+        sudo apt-get install wget apt-transport-https gnupg lsb-release
+        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+        echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update
+        sudo apt-get install -y trivy
+
+    - name: "Security report on base image"
+      shell: bash
+      working-directory: ${{ github.action_path }}/reports
+      run: trivy -q -f json -o report-base.json ${{inputs.image}}:${{inputs.base-tag}}
+
+    - name: "Security report on the new image"
+      shell: bash
+      working-directory: ${{ github.action_path }}/reports
+      run: trivy -q -f json -o report-new.json ${{inputs.image}}:${{inputs.new-tag}} 
+    
+    - name: "Compare the reports"
+      shell: bash
+      working-directory: ${{ github.action_path }}
+      run: >
+        ./main.sh --image ${{inputs.image}} --base-tag ${{inputs.base-tag}} --new-tag ${{inputs.new-tag}}
+        --pull-request ${{inputs.pr-nb}} --topic ${{inputs.topic}} --repo ${{inputs.repo}} --orga ${{inputs.orga}}

comment-pr.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+FOLDER=$(readlink -f "${BASH_SOURCE[0]}" | xargs dirname)
+. "${FOLDER}/utils.sh"
+
+
+#https://docs.github.com/en/rest/reference/issues#list-issue-comments
+function comment_exists() {
+    repo=$1
+    pr=$2
+    topic=$3
+    orga=$4
+    
+    resp=$(curl -s -H "Authorization: token $GITHUB_PAT" \
+    https://api.github.com/repos/$orga/$repo/issues/$pr/comments)
+    #Check resp is an empty array
+    if [ ${#resp[@]} -eq 0 ]; then
+        echo ""
+    else
+        echo $resp | jq  '.[] | select(.body | test(".*- (.*?)'"$topic"'\\s+")) | .id'
+    fi
+}
+
+#https://docs.github.com/en/rest/reference/issues#create-an-issue-comment
+function add_comment() {
+    repo=$1
+    pr=$2
+    body=$3
+    orga=$4
+    
+    resp=$(curl --silent -H "Authorization: token ${GITHUB_PAT}"  \
+    -X POST -d @body \
+    https://api.github.com/repos/$orga/$repo/issues/$pr/comments)
+
+}
+
+#https://docs.github.com/en/rest/reference/issues#delete-an-issue-comment
+function delete_comment() {
+    repo=$1
+    comment_id=$2
+    
+    curl \
+    -X DELETE --silent\
+    -H "Accept: application/vnd.github.v3+json" \
+    -H "Authorization: token ${GITHUB_PAT}" \
+    https://api.github.com/repos/$orga/$repo/issues/comments/$comment_id
+}
+
+function comment_pr() {
+    repo=$1
+    pr=$2
+    topic=$3
+    orga=$4
+
+    temp_folder
+    # Check if comment already exists
+    id_found=$(comment_exists $repo $pr $topic $orga)
+    echo $id_found
+    if [[ ! -z "$id_found" ]]
+    then
+        echo "Security report already exists: remove the previous one."
+        delete_comment $repo $id_found $orga
+    fi
+
+    # Add new comment
+    echo "{\"body\":  \"$(cat ../reports/security.md |  sed "s/\"/'/g" | sed 's/$/\\n/')\"}" > body
+    add_comment $repo $pr $body $orga
+    cleanup_folder
+}
+

example/Dockerfile

@@ -0,0 +1,7 @@
+FROM python:3.10-rc-slim
+
+USER root
+# Remove package with vulnerabilities and add one with vulnerabilities
+RUN rm -rf /usr/share/doc/libc-bin /usr/share/libc-bin &&\
+    apt-get update -y &&\
+    apt-get install -y libcrypto1.1-udeb

main.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+set -e
+FOLDER=$(readlink -f "${BASH_SOURCE[0]}" | xargs dirname)
+. "${FOLDER}/parse-json.sh"
+. "${FOLDER}/md-template.sh"
+. "${FOLDER}/comment-pr.sh"
+
+
+base_report="$FOLDER/reports/report-base.json"
+new_report="$FOLDER/reports/report-new.json"
+target="$FOLDER/reports/security.md"
+report_folder="$FOLDER/reports"
+
+
+POSITIONAL=()
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    -i|--image)
+    image="$2"
+    shift 
+    shift 
+    ;;
+    -bt|--base-tag)
+    base_tag="$2"
+    shift 
+    shift 
+    ;;
+    -nt|--new-tag)
+    new_tag="$2"
+    shift 
+    shift 
+    ;;
+    -r|--repo)
+    repo="$2"
+    shift 
+    shift 
+    ;;
+    -pr|--pull-request)
+    pr="$2"
+    shift 
+    shift 
+    ;;
+    -t|--topic)
+    topic="$2"
+    shift 
+    shift 
+    ;;
+    -o|--orga)
+    orga="$2"
+    shift 
+    shift 
+    ;;
+    *)    
+    POSITIONAL+=("$1")
+    shift 
+    ;;
+esac
+done
+
+
+echo "Compare the differences between $base_report and $new_report."
+get_differences $base_report $new_report $report_folder
+echo "Generate the report for $image:$base_tag->$new_tag."
+generate_markdown $report_folder $report_folder $image $base_tag $new_tag $topic
+echo "Publish the report as a comment of the PR #$pr to $repo related to $topic"
+comment_pr $repo $pr $topic $orga

md-template.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+FOLDER=$(readlink -f "${BASH_SOURCE[0]}" | xargs dirname)
+. "${FOLDER}/utils.sh"
+
+
+function generate_markdown() {
+    report_folder=$1
+    target=$2
+    img=$3
+    base_tag=$4
+    new_tag=$5
+    subject=$6
+
+    template="$FOLDER/template.md"
+    temp_folder
+
+    old=$(cat $report_folder/old.json | jq length)
+    new=$(cat $report_folder/new.json | jq length)
+
+    echo "Beginning markdown generation"
+    img=$(echo $img | sed -s "s/\//-/g")
+
+    printf "# 🛡️ Security scan 🕵🚔🔫 - $subject \n\n" > security.md
+    printf "**$new** security vulnerabilities have appeared and **$old** have been removed from the **$base_tag** version of the image **$img**. \n\n" >> security.md
+    
+    # Generate table with the new vulnerabilities
+    if [ $new -ne 0 ]; then
+        printf "## New security failures \n\n" >> security.md
+        printf "\n|  Vulnerability  | Package | Package Version | Severity |\n |---    |:-:    |:-:    |:-:  |\n" >> security.md
+        cat "$report_folder/new.json" | jq -r '.[] | [.VulnerabilityID, .PkgName, .InstalledVersion, .Severity] | join(" | ")' | sed -E  "s/([^ ]*)(.*)/[\1](https:\/\/nvd.nist.gov\/vuln\/detail\/\1)\2/" | sed 's/$/ |a /'  >> security.md
+    fi
+    
+    if [ $old -ne 0 ]; then
+        printf "\n ## Removed security failures \n\n" >> security.md
+        printf "\n|   Vulnerability  |   Package |   Package Version |   Severity |\n |---    |:-:    |:-:    |:-: |\n" >> security.md
+        cat "${report_folder}/old.json" | jq -r '.[] | [.VulnerabilityID, .PkgName, .InstalledVersion, .Severity] | join(" | ")' | sed -E  "s/([^ ]*)(.*)/[\1](https:\/\/nvd.nist.gov\/vuln\/detail\/\1)\2/" | sed 's/$/ |a /'  >> security.md
+    fi
+    
+    
+    mv security.md $target
+    cleanup_folder
+}
+
+

parse-json.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -e
+FOLDER=$(readlink -f "${BASH_SOURCE[0]}" | xargs dirname)
+. "${FOLDER}/utils.sh"
+
+
+function get_differences() {
+    base_report=$1
+    new_report=$2
+    target_folder=$3
+
+    mkdir -p $target_folder
+    temp_folder
+
+    cat $base_report | jq -r '.[].Vulnerabilities[]? | [.VulnerabilityID?, .PkgName?, .InstalledVersion?] | join(",")' | sort > tmp-base
+    cat $new_report | jq -r '.[].Vulnerabilities[]? | [.VulnerabilityID?, .PkgName?, .InstalledVersion?] | join(",")' | sort > tmp-new
+
+    # Get added and removed the vulnerabilities
+    echo "Get the added and removed vulnerabilities"
+    comm -13 tmp-base tmp-new > tmp-added
+    comm -23 tmp-base tmp-new > tmp-rm
+
+    # Get a proper json with all the vulnerabilities
+    echo "Get proper json with all the vulnerabilities"
+    # Get the new vulnerabilities
+    echo "[" > new.json
+    cat tmp-added | sed -s -e 's/^\([^,]*\),\([^,]*\),\(.*\)$/ cat '$(echo $new_report | sed -s "s|/|\\\/|g" )' |  jq \x27 .[].Vulnerabilities[]? |  select(.VulnerabilityID =="\1" and .PkgName =="\2" and .InstalledVersion=="\3") \x27/' | sh | head -c-1 | sed -z 's/}\n{/},\n{/g'  >> new.json
+    echo "]" >> new.json
+    # Get the removed vulnerabilities
+    echo "[" > old.json
+    cat tmp-rm |  sed -s -e 's/^\([^,]*\),\([^,]*\),\(.*\)$/ cat '$(echo $base_report | sed -s "s|/|\\\/|g" )' |  jq \x27 .[].Vulnerabilities[]? |  select(.VulnerabilityID =="\1" and .PkgName =="\2" and .InstalledVersion=="\3") \x27/' | sh | head -c-1 | sed -z 's/}\n{/},\n{/g' >> old.json
+    echo "]" >> old.json
+
+    mv new.json $target_folder    
+    mv old.json $target_folder
+
+    cleanup_folder
+}
+

utils.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+function temp_folder(){
+    # Use date instead of /dev/urandom since it's based on driver noise
+    # and thus does not work in CI
+    uuid="$(date | sed 's/[^0-9]//g')"
+    temp_folder="temp_${uuid}"
+    mkdir ${temp_folder}
+    cd ${temp_folder}
+}
+
+function cleanup_folder(){
+    folder="$(pwd)"
+    cd ..
+    rm -rf ${folder}
+}