add docker scout scan to pipelines (nginx#5759)

Author: pdabelf5

.github/workflows/build-base-images.yml

@@ -41,6 +41,9 @@ jobs:
     name: Build OSS base images
     runs-on: ubuntu-22.04
     needs: checks
+    permissions:
+      contents: read
+      pull-requests: write # for scout report
     strategy:
       fail-fast: false
       matrix:
@@ -108,6 +111,9 @@ jobs:
     name: Build Plus base images
     runs-on: ubuntu-22.04
     needs: checks
+    permissions:
+      contents: read
+      pull-requests: write # for scout report
     strategy:
       fail-fast: false
       matrix:
@@ -177,6 +183,9 @@ jobs:
     name: Build Plus NAP base images
     runs-on: ubuntu-22.04
     needs: checks
+    permissions:
+      contents: read
+      pull-requests: write # for scout report
     strategy:
       fail-fast: false
       matrix:

.github/workflows/build-oss.yml

@@ -47,6 +47,10 @@ jobs:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       id-token: write # for OIDC login to GCR
       packages: write # for docker/build-push-action to push to GHCR
+      pull-requests: write # for scout report
+    outputs:
+      version: ${{ steps.meta.outputs.version }}
+      image_digest: ${{ steps.build-push.outputs.digest }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
@@ -175,27 +179,46 @@ jobs:
             IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
         if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
 
+      - name: Make directory for security scan results
+        run: |
+          mkdir -p "${{ inputs.image }}-results/"
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
         continue-on-error: true
         with:
           image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
           format: "sarif"
-          output: "trivy-results-${{ inputs.image }}.sarif"
+          output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
+
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
         continue-on-error: true
         with:
-          sarif_file: "trivy-results-${{ inputs.image }}.sarif"
+          command: cves,recommendations
+          image: ${{ steps.meta.outputs.tags }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ inputs.image }}-results/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Upload Scan Results
+      - name: Upload Scan Results to the cache
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         continue-on-error: true
         with:
-          name: "trivy-results-${{ inputs.image }}.sarif"
-          path: "trivy-results-${{ inputs.image }}.sarif"
-        if: always()
+          name: "${{ inputs.image }}-results"
+          path: "${{ inputs.image }}-results/"
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

.github/workflows/build-plus.yml

@@ -51,6 +51,7 @@ jobs:
       contents: read # for docker/build-push-action to read repo content
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       id-token: write # for OIDC login to AWS
+      pull-requests: write # for scout report
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repository
@@ -195,8 +196,12 @@ jobs:
             ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
         if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
 
-      - name: Extract image name for Trivy
-        id: trivy-tag
+      - name: Make directory for security scan results
+        run: |
+          mkdir -p "${{ inputs.image }}-results/"
+
+      - name: Extract image name for Scans
+        id: scan-tag
         run: |
           tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
           echo "tag=$tag" >> $GITHUB_OUTPUT
@@ -206,23 +211,38 @@ jobs:
         uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
         continue-on-error: true
         with:
-          image-ref: ${{ steps.trivy-tag.outputs.tag }}
+          image-ref: ${{ steps.scan-tag.outputs.tag }}
           format: "sarif"
-          output: "trivy-results-${{ inputs.image }}.sarif"
+          output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
+
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
         continue-on-error: true
         with:
-          sarif_file: "trivy-results-${{ inputs.image }}.sarif"
+          command: cves,recommendations
+          image: ${{ steps.scan-tag.outputs.tag }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ inputs.image }}-results/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
       - name: Upload Scan Results
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         continue-on-error: true
         with:
-          name: "trivy-results-${{ inputs.image }}.sarif"
-          path: "trivy-results-${{ inputs.image }}.sarif"
-        if: always()
+          name: "${{ inputs.image }}-results"
+          path: "${{ inputs.image }}-results/"
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

.github/workflows/cache-update.yml

@@ -60,6 +60,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-plus:
@@ -89,6 +90,7 @@ jobs:
       contents: read
       security-events: write
       id-token: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-nap:
@@ -161,4 +163,5 @@ jobs:
       contents: read
       security-events: write
       id-token: write
+      pull-requests: write # for scout report
     secrets: inherit

.github/workflows/ci.yml

@@ -303,6 +303,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-plus:
@@ -333,6 +334,7 @@ jobs:
       contents: read
       security-events: write
       id-token: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-nap:
@@ -406,6 +408,7 @@ jobs:
       contents: read
       security-events: write
       id-token: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   helm-tests:
@@ -774,5 +777,6 @@ jobs:
       actions: read
       packages: write # for helm to push to GHCR
       security-events: write
+      pull-requests: write # for scout report
     uses: ./.github/workflows/image-promotion.yml
     if: ${{ inputs.force && inputs.force || false }}

.github/workflows/image-promotion.yml

@@ -173,6 +173,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-plus:
@@ -205,6 +206,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-nap:
@@ -280,6 +282,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   tag-stable:

build/Dockerfile

@@ -15,7 +15,7 @@ FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c763
 FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 as alpine-fips-3.17
 FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc as alpine-fips-3.19
 FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal
-FROM golang:1.22-alpine@sha256:9bdd5692d39acc3f8d0ea6f81327f87ac6b473dd29a2b6006df362bff48dd1f8 as golang-builder
+FROM golang:1.22-alpine@sha256:6522f0ca555a7b14c46a2c9f50b86604a234cdc72452bf6a268cae6461d9000b as golang-builder
 
 
 ############################################# Base image for Alpine #############################################

tests/Dockerfile

@@ -5,7 +5,7 @@ FROM kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a79
 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date
 FROM quay.io/skopeo/stable:v1.15.1
 
-FROM python:3.12@sha256:00389e020fe42a6c74a8f091ce9b28324422d084efdff26eabe93bc4ae9a110b
+FROM python:3.12@sha256:4584ea46d313a10e849eb7c5ef36be14773418233516ceaa9e52a8ff7d5e35a5
 
 RUN apt-get update \
 	&& apt-get install -y curl git \