From e242c3853af44d67a8602a6f977294ce9557de5b Mon Sep 17 00:00:00 2001 From: Pavel Sorokin <60606414+pavel-snyk@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:49:53 +0100 Subject: [PATCH 1/4] chore: scan broker images as part of cicd workflow --- .circleci/config.yml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index a5cf16c03..dc804c2be 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -469,6 +469,16 @@ workflows: nodejs_cycle: "20" project_name: broker + - scan-docker-image: + name: Scan base image (Ubuntu) + context: + - snyk-bot-slack + - team-broker-snyk + requires: + - Build base image (Ubuntu) + project: snyk/broker + project_name: broker + - build-and-save-docker-ubi-image: name: Build base image (RHEL) requires: @@ -476,6 +486,16 @@ workflows: dockerfile: dockerfiles/base/Dockerfile.ubi project_name: broker-rhel-ubi + - scan-docker-image: + name: Scan base image (RHEL) + context: + - snyk-bot-slack + - team-broker-snyk + requires: + - Build base image (RHEL) + project: snyk/broker-rhel-ubi + project_name: broker-rhel-ubi + - release: name: Release to GitHub and NPM context: @@ -483,8 +503,8 @@ workflows: - snyk-bot-slack - team-broker-snyk requires: - - Build base image (Ubuntu) - - Build base image (RHEL) + - Scan base image (Ubuntu) + - Scan base image (RHEL) - Test post-steps: - notify-slack-on-failure From 54331f091a73a1812e096c246d4dcf8f3f7654be Mon Sep 17 00:00:00 2001 From: Pavel Sorokin <60606414+pavel-snyk@users.noreply.github.com> Date: Tue, 12 Nov 2024 12:54:55 +0100 Subject: [PATCH 2/4] chore(circleci): move slack fail message into separate file --- .circleci/config.yml | 104 +++++++------------- .circleci/templates/slack_fail_message.json | 50 ++++++++++ 2 files changed, 84 insertions(+), 70 deletions(-) create mode 100644 .circleci/templates/slack_fail_message.json diff --git a/.circleci/config.yml b/.circleci/config.yml index dc804c2be..d7a6264c6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -119,6 +119,22 @@ commands: name: Load archived Docker image command: | docker load < "/tmp/workspace/images/<>:$CIRCLE_WORKFLOW_ID.tar.gz" + load-slack-templates: + steps: + - run: + name: Load Slack message templates + command: | + echo 'export SLACK_FAIL_MESSAGE_TEMPLATE=$(cat .circleci/templates/slack_fail_message.json)' >> $BASH_ENV + notify-slack-on-failure: + parameters: + channel: + type: string + default: broker-alerts-cicd + steps: + - slack/notify: + channel: <> + event: fail + template: SLACK_FAIL_MESSAGE_TEMPLATE tag-and-push-docker-image: description: "Tag and push Docker image to registry" parameters: @@ -166,72 +182,17 @@ commands: export COSIGN_KEY=$(echo $COSIGN_ENCODED_KEY | base64 -d) cosign sign --yes --key env://COSIGN_KEY --annotations tag=$IMAGE_TAG $IMAGE_WITH_DIGEST unset COSIGN_KEY + prepare: + description: "Checkout repository source code and load all Slack templates" + steps: + - checkout + - load-slack-templates prepare-dev-package-metadata: steps: - run: name: Prepare package.json and metadata.json for dev images command: | cd dockerfiles/.scripts && source prepare.sh - notify-slack-on-failure: - parameters: - channel: - type: string - default: broker-alerts-cicd - steps: - - slack/notify: - channel: <> - event: fail - custom: | - { - "blocks": [ - { - "type": "header", - "text": { - "type": "plain_text", - "text": "CICD pipeline failed :circleci-fail:", - "emoji": true - } - }, - { - "type": "divider" - }, - { - "type": "section", - "fields": [ - { - "type": "mrkdwn", - "text": "*Project*: ${CIRCLE_PROJECT_REPONAME}" - }, - { - "type": "mrkdwn", - "text": "*Job*: ${CIRCLE_JOB}" - }, - { - "type": "mrkdwn", - "text": "*Branch*: ${CIRCLE_BRANCH}" - }, - { - "type": "mrkdwn", - "text": "*Author*: ${CIRCLE_USERNAME}" - } - ] - }, - { - "type": "actions", - "elements": [ - { - "type": "button", - "text": { - "type": "plain_text", - "emoji": true, - "text": "View Job" - }, - "url": "${CIRCLE_BUILD_URL}" - } - ] - } - ] - } jobs: install-npm-packages: @@ -239,7 +200,7 @@ jobs: environment: NODE_ENV: development steps: - - checkout + - prepare - run: name: Install NPM packages command: npm clean-install @@ -250,7 +211,7 @@ jobs: lint: <<: *defaults steps: - - checkout + - prepare - attach_workspace: at: ~/broker - run: @@ -259,14 +220,14 @@ jobs: lint-json-samples: <<: *defaults steps: - - checkout + - prepare - run: name: Lint JSON templates command: ./lintVerifier.sh test: <<: *defaults steps: - - checkout + - prepare - attach_workspace: at: ~/broker - run: @@ -292,7 +253,7 @@ jobs: type: string default: "broker" steps: - - checkout + - prepare - setup_remote_docker: docker_layer_caching: true - get-tagged-broker-version @@ -317,7 +278,7 @@ jobs: type: string default: "broker" steps: - - checkout + - prepare - setup_remote_docker: docker_layer_caching: false - get-tagged-broker-version @@ -338,7 +299,7 @@ jobs: type: string default: "high" steps: - - checkout + - prepare - setup_remote_docker: docker_layer_caching: false - load-docker-image: @@ -361,7 +322,7 @@ jobs: type: string default: "broker" steps: - - checkout + - prepare - setup_remote_docker: docker_layer_caching: true - dockerhub-login @@ -395,7 +356,7 @@ jobs: type: string default: "high" steps: - - checkout + - prepare - setup_remote_docker: docker_layer_caching: false - dockerhub-login @@ -422,7 +383,7 @@ jobs: release: <<: *defaults steps: - - checkout + - prepare - attach_workspace: at: ~/broker - run: @@ -495,6 +456,9 @@ workflows: - Build base image (RHEL) project: snyk/broker-rhel-ubi project_name: broker-rhel-ubi + post-steps: + - notify-slack-on-failure: + channel: broker-alerts-vulns - release: name: Release to GitHub and NPM diff --git a/.circleci/templates/slack_fail_message.json b/.circleci/templates/slack_fail_message.json new file mode 100644 index 000000000..0891696e2 --- /dev/null +++ b/.circleci/templates/slack_fail_message.json @@ -0,0 +1,50 @@ +{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "Scans pipeline failed :circleci-fail:", + "emoji": true + } + }, + { + "type": "divider" + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Project*: ${CIRCLE_PROJECT_REPONAME}" + }, + { + "type": "mrkdwn", + "text": "*Job*: ${CIRCLE_JOB}" + }, + { + "type": "mrkdwn", + "text": "*Branch*: ${CIRCLE_BRANCH}" + }, + { + "type": "mrkdwn", + "text": "*Author*: ${CIRCLE_USERNAME}" + } + ] + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "emoji": true, + "text": "View Job" + }, + "url": "${CIRCLE_BUILD_URL}" + } + ] + } + ] +} From 84cec37a78503239c6f132a4b18729b1339c6637 Mon Sep 17 00:00:00 2001 From: Pavel Sorokin <60606414+pavel-snyk@users.noreply.github.com> Date: Tue, 12 Nov 2024 13:20:13 +0100 Subject: [PATCH 3/4] fix: ignore pam vuln in UBI image temporary --- .snyk | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.snyk b/.snyk index ce3d81261..7eba9e978 100644 --- a/.snyk +++ b/.snyk @@ -22,4 +22,9 @@ ignore: reason: No upstream fix available expires: 2024-12-11T13:11:49.669Z created: 2024-11-11T13:11:49.674Z + SNYK-RHEL8-PAM-8350338: + - '*': + reason: No fix from RHEL available + expires: 2024-12-12T12:19:17.636Z + created: 2024-11-12T12:19:17.640Z patch: {} From a6599f07e86f25df3f620df7f61870d1c6642240 Mon Sep 17 00:00:00 2001 From: Pavel Sorokin <60606414+pavel-snyk@users.noreply.github.com> Date: Tue, 12 Nov 2024 14:06:02 +0100 Subject: [PATCH 4/4] chore(circleci): skip monitoring of the project during CICD workflow --- .circleci/config.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index d7a6264c6..9b2109493 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -3,7 +3,7 @@ version: 2.1 orbs: prodsec: snyk/prodsec-orb@1.0 slack: circleci/slack@4.12.5 - snyk: snyk/snyk@1.7.2 + snyk: snyk/snyk@2.2.0 defaults: &defaults docker: @@ -290,6 +290,9 @@ jobs: scan-docker-image: <<: *defaults parameters: + monitor_on_build: + type: boolean + default: true project: type: string project_name: @@ -308,6 +311,7 @@ jobs: additional-arguments: --policy-path=.snyk docker-image-name: <>:$CIRCLE_WORKFLOW_ID fail-on-issues: <> + monitor-on-build: <> organization: platform-broker project: <> severity-threshold: <> @@ -439,6 +443,7 @@ workflows: - Build base image (Ubuntu) project: snyk/broker project_name: broker + monitor_on_build: false - build-and-save-docker-ubi-image: name: Build base image (RHEL) @@ -456,9 +461,7 @@ workflows: - Build base image (RHEL) project: snyk/broker-rhel-ubi project_name: broker-rhel-ubi - post-steps: - - notify-slack-on-failure: - channel: broker-alerts-vulns + monitor_on_build: false - release: name: Release to GitHub and NPM