chanzuckerberg · hspitzley-czi · Jul 11, 2024 · Jul 11, 2024 · Jul 11, 2024 · Jul 11, 2024
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,16 @@
+# EditorConfig helps developers define and maintain consistent coding styles across different editors and IDEs
+
+# Top-most EditorConfig file
+root = true
+
+# Set defaults for all file extensions
+[*]
+charset = utf-8
+end_of_line = lf
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+# Set specific yaml file settings
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
diff --git a/.github/actions/argus-builder/docker-build/action.yml b/.github/actions/argus-builder/docker-build/action.yml
@@ -28,6 +28,10 @@ inputs:
   github_private_key:
     description: 'GitHub App private key'
     required: true
+  fail_on_vulnerabilities:
+    description: 'whether to fail the action if vulnerabilities are found'
+    required: false
+    default: "true"
 
 outputs:
   image_uri:
@@ -77,7 +81,7 @@ runs:
         lifecycle-policy: core-platform-settings/ecr/lifecycle-policy.json
         repository-policy: core-platform-settings/ecr/repository-policy.json
     - name: Build And Push
-      uses: chanzuckerberg/github-actions/.github/actions/docker-build-push@docker-build-push-v1.6.0
+      uses: chanzuckerberg/github-actions/.github/actions/docker-build-push@CCIE-3099-embed-docker-scanning-into-argus-builder-gh-actions
       with:
         dockerfile: ${{ github.event.repository.name }}/${{ inputs.dockerfile }}
         context: ${{ github.event.repository.name }}/${{ inputs.context }}
@@ -89,10 +93,43 @@ runs:
           IMAGE_TAG=${{ inputs.image_tag }}
           ${{ inputs.build_args }}
 
-    # TODO: scan image for vulnerabilities
-    # - name: Scan for vulnerabilities
-    #   uses: chanzuckerberg/github-actions/.github/actions/argus-builder/scan-for-vulnerabilities@main
-    #   with:
-    #     image_uri: ${{ steps.ecr_metadata.outputs.ECR_REGISTRY }}/${{ steps.ecr_metadata.outputs.ECR_REPO_NAME }}:${{ inputs.image_tag }}
-    #     github_app_id: ${{ inputs.github_app_id }}
-    #     github_private_key: ${{ inputs.github_private_key }}
+    - name: Scan for vulnerabilities
+      uses: chanzuckerberg/github-actions/.github/actions/container-scanning@CCIE-3099-embed-docker-scanning-into-argus-builder-gh-actions
+      id: scan
+      with:
+        image_uri: ${{ inputs.image_name }}:${{ inputs.image_tag }}
+        fail_on_vulnerabilities: ${{ inputs.fail_on_vulnerabilities }}
+
+    - name: Notify on skipped vulnerabilities
+      uses: actions/github-script@v7
+      if: inputs.fail_on_vulnerabilities != 'true' && steps.scan.outputs.vulnerability_threshold_exceeded == 1
+      with:
+        script: |
+          let issueNumber;
+          if (context.issue.number) {
+            // use issue number from context if present
+            issueNumber = context.issue.number;
+          } else {
+            // Otherwise use issue number from commit
+            issueNumber = (
+              await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                commit_sha: context.sha,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+              })
+            ).data[0].number;
+          }
+          const body = `
+          :rotating_light: **Vulnerabilities found in image**: ${{ steps.ecr_metadata.outputs.IMAGE_URI }} :rotating_light:
+
+          Please review the vulnerabilities found in the image and take appropriate action:
+          ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/${{ github.job }}
+
+          ${{ steps.scan.outputs.inspector_scan_results_markdown }}
+          `;
+          await github.rest.issues.createComment({
+            issue_number: issueNumber,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body,
+          });
diff --git a/.github/actions/container-scanning/action.yml b/.github/actions/container-scanning/action.yml
@@ -28,6 +28,13 @@ inputs:
     description: 'whether to fail the action if vulnerabilities are found'
     required: false
     default: "true"
+outputs:
+  vulnerability_threshold_exceeded:
+    description: '1 if the vulnerability threshold was exceeded, 0 otherwise'
+    value: ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
+  inspector_scan_results_markdown:
+    description: 'path to the markdown file containing the Inspector scan results'
+    value: ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
 runs:
   using: "composite"
   steps:
@@ -38,7 +45,7 @@ runs:
         role-duration-seconds: 1800
         role-session-name: github-actions-inspector
     - name: Scan built image with Inspector
-      uses: aws-actions/[email protected].0
+      uses: aws-actions/[email protected].2
       id: inspector
       with:
         artifact_type: 'container'
@@ -55,4 +62,4 @@ runs:
     - name: Fail job if vulnerability threshold is exceeded
       if: contains(inputs.fail_on_vulnerabilities, 'true')
       shell: bash
-      run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
+      run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
diff --git a/.github/actions/docker-build-push/action.yml b/.github/actions/docker-build-push/action.yml
@@ -39,10 +39,10 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+    # - name: Set up QEMU
+    #   uses: docker/setup-qemu-action@v3
+    # - name: Set up Docker Buildx
+    #   uses: docker/setup-buildx-action@v3
     - name: Docker meta
       id: meta
       uses: docker/metadata-action@v5
@@ -80,7 +80,7 @@ runs:
       with:
         file: ${{ inputs.dockerfile }}
         context: ${{ inputs.context }}
-        push: true
+        push: false
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         cache-from: ${{ steps.cache-from.outputs.cacheFrom }}
@@ -89,3 +89,4 @@ runs:
         build-args: ${{ inputs.build_args }}
         secret-files: ${{ inputs.secret-files }}
         platforms: ${{ inputs.platforms }}
+        load: true
diff --git a/.github/workflows/argus-docker-build.yaml b/.github/workflows/argus-docker-build.yaml
@@ -39,6 +39,11 @@
         required: false
         type: string
         default: '.'
+      fail_on_vulnerabilities:
+        description: 'whether to fail the action if vulnerabilities are found'
+        required: false
+        type: boolean
+        default: true
 
 jobs:
   prep:
@@ -53,7 +58,7 @@
       id-token: write
       contents: read
     steps:
-      - uses: chanzuckerberg/github-actions/.github/actions/argus-builder/build-prep@b7d8eaf3c08d100ded457432f9ce6be6d88932e3
+      - uses: chanzuckerberg/github-actions/.github/actions/argus-builder/build-prep@CCIE-3099-embed-docker-scanning-into-argus-builder-gh-actions
         id: build_prep
         with:
           path_filters: ${{ inputs.path_filters }}
@@ -76,7 +81,7 @@
   build-docker:
     name: Build Docker Image
     needs: [prep]
-    runs-on: 
+    runs-on:
       - self-hosted
       - Linux
       - ${{ matrix.image.platform == 'linux/amd64' && 'X64' || 'ARM64' }}
@@ -89,7 +94,7 @@
       matrix:
         image: ${{ fromJson(needs.prep.outputs.images) }}
     steps:
-      - uses: chanzuckerberg/github-actions/.github/actions/argus-builder/docker-build@b7d8eaf3c08d100ded457432f9ce6be6d88932e3
+      - uses: chanzuckerberg/github-actions/.github/actions/argus-builder/docker-build@CCIE-3099-embed-docker-scanning-into-argus-builder-gh-actions
         with:
           image_name: ${{ matrix.image.name }}
           dockerfile: ${{ matrix.image.dockerfile }}
@@ -99,6 +104,7 @@
           image_tag: ${{ needs.prep.outputs.image_tag }}
           github_app_id: ${{ secrets.CZI_GITHUB_HELPER_APP_ID }}
           github_private_key: ${{ secrets.CZI_GITHUB_HELPER_PK }}
+          fail_on_vulnerabilities: ${{ inputs.fail_on_vulnerabilities }}
 
   update-manifests:
     name: Update ArgoCD manifests
@@ -108,7 +114,7 @@
       id-token: write
       contents: read
     steps:
-      - uses: chanzuckerberg/github-actions/.github/actions/argus-builder/manifest-update@b7d8eaf3c08d100ded457432f9ce6be6d88932e3
+      - uses: chanzuckerberg/github-actions/.github/actions/argus-builder/manifest-update@CCIE-3099-embed-docker-scanning-into-argus-builder-gh-actions
         with:
           envs: ${{ inputs.envs }}
           image_tag: ${{ needs.prep.outputs.image_tag }}