quay / clair-action Goto Github PK

Clair in the CI. Github actions, tekton pipelines etc.

Dockerfile 0.93% Go 91.47% Shell 1.95% Smarty 5.37% Makefile 0.28%

clair-action's Introduction

Project Quay

⚠️ The master branch may be in an unstable or even broken state during development. Please use releases instead of the master branch in order to get stable software.

Project Quay builds, stores, and distributes your container images.

High-level features include:

Docker Registry Protocol v2
Docker Manifest Schema v2.1, v2.2
AppC Image Discovery via on-demand transcoding
Image Squashing via on-demand transcoding
Authentication provided by LDAP, Keystone, OIDC, Google, and GitHub
ACLs, team management, and auditability logs
Geo-replicated storage provided by local filesystems, S3, GCS, Swift, and Ceph
Continuous Integration integrated with GitHub, Bitbucket, GitLab, and git
Security Vulnerability Analysis via Clair
Swagger-compliant HTTP API

Getting Started

Explore a live instance of Project Quay hosted at Quay.io
Watch talks given about Project Quay
Review the documentation for Red Hat Quay
Get up and running with our getting started guide for developing or deploying Quay
Deploy on Kubernetes using the Quay Operator

Community

Mailing List: [email protected]
IRC: #quay on libera.chat
Bug tracking: JBoss JIRA
Security Issues: [email protected]
Community meetings held the first Wednesday of every month 11:00 AM EST: meeting link

License

Project Quay is under the Apache 2.0 license. See the LICENSE file for details.

clair-action's People

Contributors

Stargazers

Watchers

Forkers

crozzy mayurwaghmode raja-0940 janisz

clair-action's Issues

parent command [clair-action] has duplicated subcommand name or alias: r

Action not working on master

./clair-action --help
2024/02/01 14:14:22 parent command [clair-action] has duplicated subcommand name or alias: r

Bisecting: 0 revisions left to test after this (roughly 1 step)
[ba8d393] build(deps): bump github.com/urfave/cli/v2 from 2.25.7 to 2.27.1

Update tekton documentation / examples

The tekton docs still reference the compiled DB, we should update this to do the full DB creation/recreation with the clair-action update command.

Update docs to remove references to DB download URL and add DB update workflow example

As we made the decision not to host pre-compiled DB files for legal and maintenance reasons, we must update the README examples to correctly reflect the current state of affairs and let users know how they can create the DB themselves.

cli: rename `cmd/cli` to `cmd/clair-action`

Doing this will make the path stutter, but makes a resulting binary (via go install or similar) be named correctly.

Implement better way to release new version

Currently the CI to cut a new Release takes a tag and checks that the Dockerfile has been updated with the new tag. If it hasn't, the release process fails. This is a weird chicken and egg situation where you need to prepare the code for a tag before it exists, but doing it after doesn't work either.

This probably merits a prepare-release workflow that creates the PR iterating the image version in the Dockerfile that needs merging before cutting a tag. It doesn't totally solve the situation but at least gives the operator a better defined procedure.

Default db url is not accesible

curl https://clair-sqlite-db.s3.amazonaws.com/matcher.zst
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message></Error>%

 ./clair-action report --db-url https://clair-sqlite-db.s3.amazonaws.com/matcher.zst --image-ref ubuntu:latest 
2024/02/01 16:55:54 could not download database: received status code 403 trying to download DB

403 Downloading Database in GitHub Actions

I am trying to integrate Clair into my GitHub Actions pipelines for scanning an ostree-based OCI image but am facing a 403 error when downloading the database through your action.

I found another issue which does mention the database and that the docs need changing, but was unsure how to translate that into GitHub Actions.

Full debug log:

https://github.com/rsturla/eternal-main/actions/runs/7489587733/job/20387049438#step:7:271

Run quay/clair-action@main
  with:
    image-path: 94c449b88d145fcbaa9fd57c168c70158e516f24
    format: clair
    output: clair-results.md
    return-code: 1
    db-file-url: https://clair-sqlite-db.s3.amazonaws.com/matcher.zst
    mode: report
  env:
    IMAGE_REGISTRY: ghcr.io/rsturla
    IMAGE_NAME: eternal-linux/main/base
##[debug]Evaluating: format('-r {0}', inputs.image-ref)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-r {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'image-ref'
##[debug]..=> ''
##[debug]=> '-r '
##[debug]Result: '-r '
##[debug]Evaluating: format('-p {0}', inputs.image-path)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-p {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'image-path'
##[debug]..=> '94c449b88d145fcbaa9fd57c168c70[158](https://github.com/rsturla/eternal-main/actions/runs/7489587733/job/20387049438#step:7:162)e516f24'
##[debug]=> '-p 94c449b88d145fcbaa9fd57c168c70158e516f24'
##[debug]Result: '-p 94c449b88d145fcbaa9fd57c168c70158e516f24'
##[debug]Evaluating: format('-f {0}', inputs.format)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-f {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'format'
##[debug]..=> 'clair'
##[debug]=> '-f clair'
##[debug]Result: '-f clair'
##[debug]Evaluating: format('-o {0}', inputs.output)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-o {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'output'
##[debug]..=> 'clair-results.md'
##[debug]=> '-o clair-results.md'
##[debug]Result: '-o clair-results.md'
##[debug]Evaluating: format('-c {0}', inputs.return-code)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-c {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'return-code'
##[debug]..=> '1'
##[debug]=> '-c 1'
##[debug]Result: '-c 1'
##[debug]Evaluating: format('-d {0}', inputs.db-file-url)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-d {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'db-file-url'
##[debug]..=> 'https://clair-sqlite-db.s3.amazonaws.com/matcher.zst'
##[debug]=> '-d https://clair-sqlite-db.s3.amazonaws.com/matcher.zst'
##[debug]Result: '-d https://clair-sqlite-db.s3.amazonaws.com/matcher.zst'
##[debug]Evaluating: format('-u {0}', inputs.docker-config-dir)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-u {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'docker-config-dir'
##[debug]..=> ''
##[debug]=> '-u '
##[debug]Result: '-u '
##[debug]Evaluating: format('-w {0}', inputs.mode)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-w {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'mode'
##[debug]..=> 'report'
##[debug]=> '-w report'
##[debug]Result: '-w report'
##[debug]Evaluating: format('-b {0}', inputs.db-file)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '-b {0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'db-file'
##[debug]..=> ''
##[debug]=> '-b '
##[debug]Result: '-b '
/usr/bin/docker run --name d3cc7ba0b6c0060aa424fa378912f1da99fb7_bedfc8 --label 9d3cc7 --workdir /github/workspace --rm -e "IMAGE_REGISTRY" -e "IMAGE_NAME" -e "INPUT_IMAGE-PATH" -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_RETURN-CODE" -e "INPUT_IMAGE-REF" -e "INPUT_DB-FILE-URL" -e "INPUT_DOCKER-CONFIG-DIR" -e "INPUT_MODE" -e "INPUT_DB-FILE" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "
[202](https://github.com/rsturla/eternal-main/actions/runs/7489587733/job/20387049438#step:7:206)4/01/11 14:02:04 could not download database: received status code 403 trying to download DB
##[debug]Docker Action run completed with exit code 1
##[debug]Finished: run

I am hoping to introduce this action into the UBlue repositories to increase our visibility into the security of these images.

Create projectquay repo for release container

Currently the created c/image is pushed to personal repo, it should be in the projectquay repo.

CI: Auto push image on tag

Right now the tagged images are created from the Release action but the tag isn't pinned to the code. Pushing a tag to this repo should trigger the Release workflow.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble