mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
bfe3b186d3
For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
121 lines
4.4 KiB
YAML
121 lines
4.4 KiB
YAML
name: Build fleetctl docker dependencies and check vulnerabilities
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "0 6 * * *"
|
|
|
|
# This allows a subsequently queued workflow run to interrupt previous runs
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
|
|
cancel-in-progress: true
|
|
|
|
defaults:
|
|
run:
|
|
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
|
shell: bash
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build-and-check:
|
|
runs-on: ubuntu-22.04
|
|
environment: Docker Hub
|
|
permissions:
|
|
id-token: write # for aws-actions/configure-aws-credentials
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Build fleetdm/wix
|
|
run: make wix-docker
|
|
|
|
- name: Build fleetdm/bomutils
|
|
run: make bomutils-docker
|
|
|
|
- name: Build fleetdm/fleetctl
|
|
run: make fleetctl-docker
|
|
|
|
- name: List VEX files
|
|
id: generate_vex_files
|
|
run: |
|
|
echo "VEX_FILES=$(ls -1 ./security/vex/fleetctl/ | while IFS= read -r line; do echo "./security/vex/fleetctl/$line"; done | tr '\n' ',' | sed 's/.$//')" >> $GITHUB_OUTPUT
|
|
|
|
# We use the trivy command and not the github action because it doesn't support loading VEX files yet.
|
|
- name: Run Trivy vulnerability scanner on fleetdm/fleetctl
|
|
env:
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
|
|
run: |
|
|
mkdir trivy-download
|
|
cd trivy-download
|
|
curl -L https://github.com/aquasecurity/trivy/releases/download/v0.61.0/trivy_0.61.0_Linux-64bit.tar.gz --output trivy_0.61.0_Linux-64bit.tar.gz
|
|
tar -xf trivy_0.61.0_Linux-64bit.tar.gz
|
|
mv trivy ..
|
|
cd ..
|
|
chmod +x ./trivy
|
|
./trivy image \
|
|
--exit-code=1 \
|
|
--ignore-unfixed \
|
|
--pkg-types=os,library \
|
|
--severity=HIGH,CRITICAL \
|
|
--vex="${{ steps.generate_vex_files.outputs.VEX_FILES }}" \
|
|
fleetdm/fleetctl
|
|
|
|
- name: Run Trivy vulnerability scanner on fleetdm/wix
|
|
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
|
|
env:
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
|
|
with:
|
|
image-ref: "fleetdm/wix"
|
|
format: "table"
|
|
exit-code: "1"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
severity: "CRITICAL"
|
|
|
|
- name: Run Trivy vulnerability scanner on fleetdm/bomutils
|
|
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
|
|
env:
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
|
|
with:
|
|
image-ref: "fleetdm/bomutils"
|
|
format: "table"
|
|
exit-code: "1"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
severity: "CRITICAL"
|
|
|
|
- name: Slack root notification
|
|
if: github.event.schedule == '0 6 * * *' && failure()
|
|
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
|
|
with:
|
|
payload: |
|
|
{
|
|
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
|
|
"blocks": [
|
|
{
|
|
"type": "section",
|
|
"text": {
|
|
"type": "mrkdwn",
|
|
"text": "⚠️ Build fleetctl docker dependencies and check vulnerabilities failed.\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
|
|
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
|