Skip to content

Scan containers with Trivy before pushing #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
johnjeffers wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Scan containers with Trivy before pushing #131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a23428a
wip
johnjeffers Nov 4, 2025
d60a5a4
wip
johnjeffers Nov 4, 2025
a2b56b9
wip
johnjeffers Nov 4, 2025
b3de5a0
wip
johnjeffers Nov 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 58 additions & 10 deletions .github/workflows/docker-publish.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
name: Deploy

env:
PLATFORMS: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"

on:
workflow_dispatch:
inputs:
command:
type: choice
options:
- build # build only
- publish # build & publish to dockerhub
- build # build only
- publish # build & publish to dockerhub
default: build
description: Build only or Build And Publish to DockerHub
version:
Expand All @@ -29,16 +33,17 @@ jobs:
environment: production
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@v5

- name: Build version tag
run: |
echo "FUSIONAUTH_TAGS=fusionauth/fusionauth-app:${{ inputs.version }}${{ inputs.tag-suffix }}" >> $GITHUB_ENV
echo "FUSIONAUTH_SCAN_TAG=fusionauth/fusionauth-app:${{ inputs.version }}${{ inputs.tag-suffix }}-scan" >> $GITHUB_ENV

- name: Optional :latest tag
if: ${{ inputs.latest == true }}
run: |
echo "FUSIONAUTH_TAGS=${{ env.FUSIONAUTH_TAGS }},fusionauth/fusionauth-app:latest${{ env.FUSIONAUTH_TAG_SUFFIX }}" >> $GITHUB_ENV
echo "FUSIONAUTH_TAGS=${{ env.FUSIONAUTH_TAGS }},fusionauth/fusionauth-app:latest" >> $GITHUB_ENV

- name: Job summary
run: |
Expand All @@ -47,25 +52,68 @@ jobs:
echo "Tags: ${{ env.FUSIONAUTH_TAGS }}"

- name: Set up QEMU
uses: docker/setup-qemu-action@v1
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v3

- name: Login to DockerHub
uses: docker/login-action@v1
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install -y wget gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/trivy-archive-keyring.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y jq trivy

- name: Run Trivy pre-build scan
Comment thread
wied03 marked this conversation as resolved.
run: |
trivy fs \
--scanners vuln,misconfig \
--exit-code 1 \
--severity HIGH,CRITICAL \
--ignore-unfixed \
docker/fusionauth/fusionauth-app

- name: Build and scan platform images
Copy link
Copy Markdown
Contributor

@wied03 wied03 Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trying to think through real world edge cases here. If we had an unknown vuln at release time, or a vuln that hits right at release time, this could cause us to fail here and not publish (and in the release process, if we don't publish here soon after S3 artifacts, we have a problem).

Should we make this more of an async, scheduled workflow that doesn't inhibit a release if the scan fails? Or if we don't want to do that, might we need bigger release workflow changes that can build and push a Docker image with a draft set of artifacts before the S3 push, but that might be a heavier lift.

Copy link
Copy Markdown
Contributor Author

@johnjeffers johnjeffers Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should not push an image with a known vulnerability, and if that interrupts the release process, that's a good thing.

run: |
set -euo pipefail
IFS=',' read -ra platforms <<< "${{ env.PLATFORMS }}"
for platform in "${platforms[@]}"; do
platform="$(echo "$platform" | xargs)"
arch="${platform##*/}"
scan_tag="${FUSIONAUTH_SCAN_TAG}-${arch}"
echo "::group::Building $scan_tag ($platform)"
docker buildx build \
--platform "$platform" \
--load \
--tag "$scan_tag" \
--build-arg FUSIONAUTH_VERSION=${{ inputs.version }} \
-f ./docker/fusionauth/fusionauth-app/Dockerfile \
.
echo "Scanning $scan_tag"
trivy image \
--exit-code 1 \
--severity HIGH,CRITICAL \
--ignore-unfixed \
"$scan_tag"
echo "::endgroup::"
done

# If all scans pass, build and optionally push the multi-arch image
- name: Build and push
uses: docker/build-push-action@v2
uses: docker/build-push-action@v6
with:
context: .
file: ./docker/fusionauth/fusionauth-app/Dockerfile
build-args: FUSIONAUTH_VERSION=${{ inputs.version }}
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
platforms: ${{ env.PLATFORMS }}
push: ${{ inputs.command == 'publish' }}
tags: ${{ env.FUSIONAUTH_TAGS }}

2 changes: 1 addition & 1 deletion docker/fusionauth/fusionauth-app/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ RUN case "${BUILDPLATFORM}" in \
;;\
esac \
&& apt-get update \
&& apt-get install -y curl unzip \
&& apt-get install -y --no-install-recommends ca-certificates curl unzip \
Comment thread
wied03 marked this conversation as resolved.
&& mkdir -p /tmp/openjdk \
&& mkdir -p /tmp/build/openjdk \
&& curl -LfsSo /tmp/build/openjdk.tar.gz "${BUILD_JAVA_URL}" \
Expand Down