feat(sca): refactored grype cache (#318)

feat(scan-docker-image): refactored grype cache

BREAKING CHANGE:

- Removes "force_grype_db_update" and "skip_grype_db_cache" input
- Adds "grype_db_cache" and "grype_db_cache_token" input for private grype db mirror
- Grype DB caching strategy: GH Cache -> Grype DB mirror (if specified) -> Grype upstream

Author: saisatishkarra

.github/workflows/dir-scan.yml

@@ -3,12 +3,12 @@ name: SCA Directory Scan
 on:
   pull_request:
     branches:
-    - main
+      - main
   push:
     branches:
-    - main
+      - main
     tags:
-    - '*'
+      - "*"
   workflow_dispatch: {}
 
 jobs:
@@ -23,16 +23,16 @@ jobs:
       pull-requests: write
     name: Test Repository Scan
     steps:
-        - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-          with:
-            repository: ${{env.TEST_REPOSITORY}}
-            path: ${{env.TEST_REPOSITORY}}
-        - name: Scan Directory
-          id: scan-dir
-          uses: ./security-actions/sca
-          with:
-            asset_prefix: test.insomnia
-            dir: ${{env.TEST_REPOSITORY}}
-            upload-sbom-release-assets: true
-            fail_build: false
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: ${{env.TEST_REPOSITORY}}
+          path: ${{env.TEST_REPOSITORY}}
+      - name: Scan Directory
+        id: scan-dir
+        uses: ./security-actions/sca
+        with:
+          asset_prefix: test.insomnia
+          dir: ${{env.TEST_REPOSITORY}}
+          upload-sbom-release-assets: true
+          fail_build: false

.github/workflows/docker-image-scan.yml

@@ -3,12 +3,12 @@ name: SCA Docker Test
 on:
   pull_request:
     branches:
-    - main
+      - main
   push:
     branches:
-    - main
+      - main
     tags:
-    - '*'
+      - "*"
   workflow_dispatch: {}
 
 jobs:
@@ -24,59 +24,62 @@ jobs:
     env:
       IMAGE: kong/kong-gateway-dev:latest #particular reason for the choice of image: test multi arch image sbom
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-    - name: Install regctl
-      uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183
 
-    - name: Login to DockerHub
-      if: success()
-      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
-      with:
-        username: ${{ secrets.GHA_DOCKERHUB_PULL_USER }}
-        password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUBLIC_TOKEN }}
+      - name: Login to DockerHub
+        if: success()
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ secrets.GHA_DOCKERHUB_PULL_USER }}
+          password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUBLIC_TOKEN }}
 
-    - name: Parse Architecture Specific Image Manifest Digests
-      id: image_manifest_metadata
-      run: |
-        manifest_list_exists="$(
-          if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
-            echo true
-          else
-            echo false
-          fi
-        )"
-        echo "manifest_list_exists=$manifest_list_exists"
-        echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
+      - name: Parse Architecture Specific Image Manifest Digests
+        id: image_manifest_metadata
+        run: |
+          manifest_list_exists="$(
+            if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
+              echo true
+            else
+              echo false
+            fi
+          )"
+          echo "manifest_list_exists=$manifest_list_exists"
+          echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
 
-        amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')"
-        arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')"
-        echo "amd64_sha=$amd64_sha"
-        echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT
-        echo "arm64_sha=$arm64_sha"
-        echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT
+          amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')"
+          arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')"
+          echo "amd64_sha=$amd64_sha"
+          echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT
+          echo "arm64_sha=$arm64_sha"
+          echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT
 
-    - name: Scan AMD64 Image digest
-      id: sbom_action_amd64
-      if: steps.image_manifest_metadata.outputs.amd64_sha != ''
-      uses: ./security-actions/scan-docker-image
-      with:
-        asset_prefix: kong-gateway-dev-linux-amd64
-        image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
-        skip_cis_scan: false
-        trivy_db_cache: Kong/trivy-db-mirror@master
-        trivy_db_cache_token: ${{ secrets.SECURITY_BOT_PSA_PAT }}
-        by_cve: true
+      - name: Scan AMD64 Image digest
+        id: sbom_action_amd64
+        if: steps.image_manifest_metadata.outputs.amd64_sha != ''
+        uses: ./security-actions/scan-docker-image
+        with:
+          asset_prefix: kong-gateway-dev-linux-amd64
+          image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
+          skip_cis_scan: false
+          trivy_db_cache: Kong/trivy-db-mirror@master
+          trivy_db_cache_token: ${{ secrets.SECURITY_BOT_PSA_PAT }}
+          grype_db_cache: Kong/grype-db-mirror@main
+          grype_db_cache_token: ${{ secrets.SECURITY_BOT_PSA_PAT }}
+          by_cve: true
 
-    - name: Scan ARM64 Image digest
-      if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
-      id: sbom_action_arm64
-      uses: ./security-actions/scan-docker-image
-      with:
-        asset_prefix: test.kong-gateway-dev-linux-arm64
-        image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
-        upload-sbom-release-assets: true
-        skip_cis_scan: false
+        # Should use git cache for grype DB due to AMD64 scan being run first
+      - name: Scan ARM64 Image digest
+        if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
+        id: sbom_action_arm64
+        uses: ./security-actions/scan-docker-image
+        with:
+          asset_prefix: test.kong-gateway-dev-linux-arm64
+          image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
+          upload-sbom-release-assets: true
+          skip_cis_scan: false
 
   test-download-sbom:
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}

security-actions/sca/README.md

@@ -49,16 +49,16 @@
 #### Global parameters
 
 ```yaml
-  global_severity_cutoff:
-    description: 'grype/trivy vulnerability severity cutoff'
-    options:
-    - 'negligible'
-    - 'low'
-    - 'medium'
-    - 'high'
-    - 'critical'
-  global_enforce_build_failure:
-    description: 'This will enforce the build failure regardless of `fail_build` external input parameter value for a specified `severity_cutoff`'
+global_severity_cutoff:
+  description: "grype/trivy vulnerability severity cutoff"
+  options:
+    - "negligible"
+    - "low"
+    - "medium"
+    - "high"
+    - "critical"
+global_enforce_build_failure:
+  description: "This will enforce the build failure regardless of `fail_build` external input parameter value for a specified `severity_cutoff`"
 ```
 
 ### Required Workflow Permissions
@@ -73,48 +73,54 @@ permissions:
 - Inputs **image / dir / file** are mutually exclusive. Any one input is mandatory
 
 ```yaml
-  asset_prefix:
-    description: 'prefix for generated scan artifacts'
-    required: false
-    default: ''
-  dir: 
-    description: 'Specify a directory to be scanned. This is mutually exclusive to file and image'
-    required: 'false'
-    default: ''
-  file:
-    description: 'Specify a file to be scanned. This is mutually exclusive to dir and image'
-    required: 'false'
-    default: ''
-  config:
-    description: 'file path to syft custom configuration'
-    required: false
-  fail_build:
-    description: 'fail the build if the vulnerability is above the severity cutoff'
-    required: 'false'
-    default: 'false'
-    type: choice
-    options:
-    - 'true'
-    - 'false'
-  github-token:
-    description: "Authorized secret GitHub Personal Access Token. Defaults to github.token"
-    required: false
-    default: ${{ github.token }}
-  upload-sbom-release-assets:
-    description: 'specify to only upload sboms to GH release assets.'
-    required: false
-    default: false
-    type: choice
-    options:
-    - 'true'
-    - 'false'
+asset_prefix:
+  description: "prefix for generated scan artifacts"
+  required: false
+  default: ""
+dir:
+  description: "Specify a directory to be scanned. This is mutually exclusive to file and image"
+  required: "false"
+  default: ""
+file:
+  description: "Specify a file to be scanned. This is mutually exclusive to dir and image"
+  required: "false"
+  default: ""
+config:
+  description: "file path to syft custom configuration"
+  required: false
+fail_build:
+  description: "fail the build if the vulnerability is above the severity cutoff"
+  required: "false"
+  default: "false"
+  type: choice
+  options:
+    - "true"
+    - "false"
+github-token:
+  description: "Authorized secret GitHub Personal Access Token. Defaults to github.token"
+  required: false
+  default: ${{ github.token }}
+upload-sbom-release-assets:
+  description: "specify to only upload sboms to GH release assets."
+  required: false
+  default: false
+  type: choice
+  options:
+    - "true"
+    - "false"
+grype_db_cache:
+  description: "GitHub repository containing Grype DB cache (format: owner/repo@ref). Database should be named `db_v*.tar.zst` on the default branch."
+  required: false
+grype_db_cache_token:
+  description: "Token for accessing `grype_db_cache`."
+  required: false
 ```
 
 #### Output specification
 
-- Generates sbom reports in **spdx.json** and **cyclonedx.xml** formats using *syft* on the inputs **image / dir / file**
+- Generates sbom reports in **spdx.json** and **cyclonedx.xml** formats using _syft_ on the inputs **image / dir / file**
 
-- Generates cve vulnerability analysis report based on the spdx sbom file using *grype*
+- Generates cve vulnerability analysis report based on the spdx sbom file using _grype_
 
 - Uploads all the generated security assets as workflow artifacts and retained based on repo / org settings
 
@@ -123,14 +129,14 @@ permissions:
 #### Output parameters
 
 ```yaml
-    grype-sarif-report:
-      description: 'vulnerability SARIF report'
-    grype-json-report:
-      description: 'vulnerability JSON report'  
-    sbom-spdx-report:
-      description: 'SBOM spdx report'
-    sbom-cyclonedx-report:
-      description: 'SBOM cyclonedx report'
+grype-sarif-report:
+  description: "vulnerability SARIF report"
+grype-json-report:
+  description: "vulnerability JSON report"
+sbom-spdx-report:
+  description: "SBOM spdx report"
+sbom-cyclonedx-report:
+  description: "SBOM cyclonedx report"
 ```
 
 ### Migration Strategy
@@ -153,7 +159,7 @@ We expect application teams to use the advanced configuration of ignore rules wi
 
 To bypass blocking builds during emergency releases/scenarios where CVE fix needs a lot of refactoring during a hotfix:
 
-#### Syft 
+#### Syft
 
 1. Generate a Syft [Override](https://github.com/anchore/syft?tab=readme-ov-file#configuration) configuration file
 2. [Select catalogers](https://github.com/anchore/syft?tab=readme-ov-file#package-cataloger-selection)
@@ -176,12 +182,12 @@ name: SCA Repository Scan
 on:
   pull_request:
     branches:
-    - main
+      - main
   push:
     branches:
-    - main
+      - main
     tags:
-    - '*'
+      - "*"
 
 jobs:
   sca:
@@ -193,13 +199,13 @@ jobs:
       pull-requests: write
     name: Repository Scan
     steps:
-        - uses: actions/checkout@v4
-        - name: Scan Repository
-          id: sca_repo
-          uses: Kong/public-shared-actions/security-actions/sca@main
-          with:
-            asset_prefix: <repo-name-slug> #output files prefix
-            dir: '.' # Path to directory where the repository is checked out
-            config: .syft.yaml # Custom config for overrides in repository root
-            fail_build: 'true' # Fail job if critical vulnerabilities are detected
-```
+      - uses: actions/checkout@v4
+      - name: Scan Repository
+        id: sca_repo
+        uses: Kong/public-shared-actions/security-actions/sca@main
+        with:
+          asset_prefix: <repo-name-slug> #output files prefix
+          dir: "." # Path to directory where the repository is checked out
+          config: .syft.yaml # Custom config for overrides in repository root
+          fail_build: "true" # Fail job if critical vulnerabilities are detected
+```