Skip to content

Commit 19c046f

Browse files
dervoetidervoeti
committed
feat: create separate branches per architecture in SecObserve
1 parent 99b93ef commit 19c046f

File tree

2 files changed

+35
-16
lines changed

2 files changed

+35
-16
lines changed

.github/workflows/scan_single_image.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ on:
66
description: 'Product name in SecObserve (example: hbase)'
77
required: true
88
product_version:
9-
description: 'Product version in SecObserve (example: 2.4.17-stackable24.3.0)'
9+
description: 'Product version in SecObserve (example: 2.4.17-stackable24.7.0-amd64)'
1010
required: true
1111
image:
12-
description: 'Location of the image (example: oci.stackable.tech/sdp/hbase:2.4.17-stackable24.3.0)'
12+
description: 'Location of the image (example: oci.stackable.tech/sdp/hbase:2.4.17-stackable24.7.0-amd64)'
1313
required: true
1414

1515
jobs:

stack_scanner/main.py

Lines changed: 33 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919
"kcat",
2020
"kafka-testing-tools",
2121
"java-devel",
22-
"statsd_exporter"
22+
"statsd_exporter",
2323
]
2424

2525
REGISTRY_URL = "docker.stackable.tech"
@@ -47,8 +47,8 @@ def main():
4747
secobserve_api_token = sys.argv[2]
4848
image = sys.argv[3]
4949
product_name = sys.argv[4]
50-
product_version = sys.argv[5]
51-
scan_image(secobserve_api_token, image, product_name, product_version)
50+
product_version, arch = sys.argv[5].split("-")
51+
scan_image(secobserve_api_token, image, product_name, product_version, arch)
5252
sys.exit(0)
5353
else:
5454
secobserve_api_token = sys.argv[2]
@@ -57,7 +57,11 @@ def main():
5757
if release == "0.0.0-dev":
5858
checkout = "main"
5959

60-
os.system("bash -c 'cd docker-images && git fetch --all && git checkout " + checkout + " && git pull && cd ..'")
60+
os.system(
61+
"bash -c 'cd docker-images && git fetch --all && git checkout "
62+
+ checkout
63+
+ " && git pull && cd ..'"
64+
)
6165

6266
operators = [
6367
"airflow",
@@ -81,7 +85,13 @@ def main():
8185
for arch in ["amd64", "arm64"]:
8286
for operator_name in operators:
8387
product_name = f"{operator_name}-operator"
84-
scan_image(secobserve_api_token, f"{REGISTRY_URL}/stackable/{product_name}:{release}-{arch}", product_name, release)
88+
scan_image(
89+
secobserve_api_token,
90+
f"{REGISTRY_URL}/stackable/{product_name}:{release}-{arch}",
91+
product_name,
92+
release,
93+
arch,
94+
)
8595

8696
# Load product versions from that file using the image-tools functionality
8797
sys.path.append("docker-images")
@@ -100,10 +110,17 @@ def main():
100110
f"{REGISTRY_URL}/stackable/{product_name}:{product_version}-{arch}",
101111
product_name,
102112
product_version,
113+
arch,
103114
)
104115

105116

106-
def scan_image(secobserve_api_token: str, image: str, product_name: str, product_version: str) -> None:
117+
def scan_image(
118+
secobserve_api_token: str,
119+
image: str,
120+
product_name: str,
121+
product_version: str,
122+
architecture: str,
123+
) -> None:
107124
mode = "sbom"
108125
extract_sbom_cmd = [
109126
"cosign",
@@ -115,19 +132,21 @@ def scan_image(secobserve_api_token: str, image: str, product_name: str, product
115132
"--certificate-oidc-issuer",
116133
"https://token.actions.githubusercontent.com",
117134
image.replace("docker.stackable.tech/stackable/", "oci.stackable.tech/sdp/"),
118-
];
135+
]
119136
print(" ".join(extract_sbom_cmd))
120137

121-
result = subprocess.run(extract_sbom_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
138+
result = subprocess.run(
139+
extract_sbom_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE
140+
)
122141
if result.returncode == 0:
123-
cosign_output = json.loads(result.stdout.decode('utf-8'))
124-
payload = base64.b64decode(cosign_output["payload"]).decode('utf-8')
142+
cosign_output = json.loads(result.stdout.decode("utf-8"))
143+
payload = base64.b64decode(cosign_output["payload"]).decode("utf-8")
125144
sbom = json.loads(payload)["predicate"]
126145
with open("/tmp/stackable/bom.json", "w") as f:
127146
json.dump(sbom, f)
128147
else:
129148
print("No SBOM found, falling back to image mode")
130-
mode = "image" # fallback to image mode if no SBOM is available
149+
mode = "image" # fallback to image mode if no SBOM is available
131150

132151
# Run Trivy
133152
env = {}
@@ -136,7 +155,7 @@ def scan_image(secobserve_api_token: str, image: str, product_name: str, product
136155
env["SO_PRODUCT_NAME"] = product_name
137156
env["SO_API_BASE_URL"] = "https://secobserve-backend.stackable.tech"
138157
env["SO_API_TOKEN"] = secobserve_api_token
139-
env["SO_BRANCH_NAME"] = product_version
158+
env["SO_BRANCH_NAME"] = product_version + "-" + architecture
140159
env["TMPDIR"] = "/tmp/trivy_tmp"
141160
env["TRIVY_CACHE_DIR"] = "/tmp/trivy_cache"
142161
env["REPORT_NAME"] = "trivy.json"
@@ -145,7 +164,7 @@ def scan_image(secobserve_api_token: str, image: str, product_name: str, product
145164
"docker",
146165
"run",
147166
"--entrypoint",
148-
"/entrypoints/entrypoint_trivy_"+mode+".sh",
167+
"/entrypoints/entrypoint_trivy_" + mode + ".sh",
149168
"-v",
150169
"/tmp/stackable:/tmp",
151170
"-v",
@@ -170,7 +189,7 @@ def scan_image(secobserve_api_token: str, image: str, product_name: str, product
170189
"docker",
171190
"run",
172191
"--entrypoint",
173-
"/entrypoints/entrypoint_grype_"+mode+".sh",
192+
"/entrypoints/entrypoint_grype_" + mode + ".sh",
174193
"-v",
175194
"/tmp/stackable:/tmp",
176195
"-v",

0 commit comments

Comments
 (0)