search

aws-actions / vulnerability-scan-github-action-for-amazon-inspector

Scan artifacts with Amazon Inspector from GitHub Actions workflows.
https://docs.aws.amazon.com/inspector/
MIT License
27 stars 6 forks source link

Not supporting multi arch build images #101

Closed tnh closed 3 hours ago

tnh commented 1 month ago

Description

it doesnt appear that you support multiarch builds within ECR

Expected Behavior

You should

Actual Behavour

ECR is returning unauthorised.

Steps to Reproduce

This github action pipeline:

name: Build, Push to ECR, and Deploy to ECS

on:
  workflow_call:
    inputs:
      domain-name:
        required: true
        type: string
permissions:
      id-token: write   # This is required for requesting the JWT
      contents: read    # This is required for actions/checkout

env:
  AWS_REGION: ap-southeast-2  # Change this to your AWS region
  ECR_REPOSITORY: my-ecr-repo  # Change this to your ECR repository name
  ECS_CLUSTER: ecs-cluster  # Change this to your ECS cluster name
  ECS_SERVICE: ecs-service  # Change this to your ECS service name
  CONTAINER_NAME: ecs
  CRITICAL_THRESHOLD: 6
  HIGH_THRESHOLD: 8
  MEDIUM_THRESHOLD: 9
  LOW_THRESHOLD: 10
  OTHER_THRESHOLD: 20

jobs:
  deploy:
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      # checkout the repository containing our Dockerfile
      - name: Checkout this repository
        uses: actions/checkout@v4

      # Setup prerequisites for docker/build-push-action
      - name: Set up docker build prereqs (QEMU)
        uses: docker/setup-qemu-action@v3

      - name: Set up docker build prereqs (Buildx)
        uses: docker/setup-buildx-action@v3

      - name: Cache Docker layers
        uses: actions/cache@v4
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.OICD_ROLE }}
          role-session-name: gh-${{ github.repository_id}}-${{ github.sha }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Rolechain into deployment role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.DEPLOY_ROLE }}
          role-session-name: gh-d-${{ github.repository_id}}-${{ github.sha }}
          aws-region: ${{ env.AWS_REGION }}  
          role-chaining: true      

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      # build the image you wish to scan
      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          build-args: |
            GIT_SHA=${{ github.sha }}
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}
          platforms: linux/amd64,linux/arm64
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Scan built image with Inspector
        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
        id: inspector
        with:
          artifact_type: 'container'
          artifact_path: '${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}'
          critical_threshold: ${{ env.CRITICAL_THRESHOLD }}
          high_threshold: ${{ env.HIGH_THRESHOLD }}
          medium_threshold: ${{ env.MEDIUM_THRESHOLD }}
          low_threshold: ${{ env.LOW_THRESHOLD }}
          other_threshold: ${{ env.OTHER_THRESHOLD }}

The build output is:

Run aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
/usr/bin/docker run --name ba3aa5675718851b04fbc868d1b775616f669_1ebd3d --label 1ba3aa --workdir /github/workspace --rm -e "AWS_REGION" -e "ECR_REPOSITORY" -e "ECS_CLUSTER" -e "ECS_SERVICE" -e "CONTAINER_NAME" -e "CRITICAL_THRESHOLD" -e "HIGH_THRESHOLD" -e "MEDIUM_THRESHOLD" -e "LOW_THRESHOLD" -e "OTHER_THRESHOLD" -e "AWS_DEFAULT_REGION" -e "AWS_ACCESS_KEY_ID" -e "AWS_SECRET_ACCESS_KEY" -e "AWS_SESSION_TOKEN" -e "INPUT_ARTIFACT_TYPE" -e "INPUT_ARTIFACT_PATH" -e "INPUT_CRITICAL_THRESHOLD" -e "INPUT_HIGH_THRESHOLD" -e "INPUT_MEDIUM_THRESHOLD" -e "INPUT_LOW_THRESHOLD" -e "INPUT_OTHER_THRESHOLD" -e "INPUT_DISPLAY_VULNERABILITY_FINDINGS" -e "INPUT_OUTPUT_SBOM_PATH" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH_CSV" -e "INPUT_OUTPUT_INSPECTOR_SCAN_PATH_MARKDOWN" -e "INPUT_OUTPUT_INSPECTOR_DOCKERFILE_SCAN_PATH_CSV" -e "INPUT_OUTPUT_INSPECTOR_DOCKERFILE_SCAN_PATH_MARKDOWN" -e "INPUT_SBOMGEN_VERSION" -e "INPUT_SCANNERS" -e "INPUT_SKIP_SCANNERS" -e "INPUT_SKIP_FILES" -e "INPUT_TIMEOUT" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/example-ecs-fargate-pipeline/example-ecs-fargate-pipeline":"/github/workspace" 1ba3aa:5675718851b04fbc868d1b775616f669  "--artifact-type=container" "--artifact-path=xxx.dkr.ecr.ap-southeast-2.amazonaws.com/my-ecr-repo:e4ec5a89a346c47eb8f81af9a4109e0d7e436521" "--display-vuln-findings=disabled" "--out-sbom=./sbom_11199528445.json" "--out-scan=inspector_scan_11199528445.json" "--out-scan-csv=inspector_scan_11199528445.csv" "--out-scan-markdown=inspector_scan_11199528445.md" "--out-dockerfile-scan-csv=inspector_dockerfile_scan_11199528445.csv" "--out-dockerfile-scan-md=inspector_dockerfile_scan_11199528445.md" "--sbomgen-version=latest" "--thresholds" "--critical=6" "--high=8" "--medium=9" "--low=10" "--other=20" "--scanners=''" "--skip-scanners=''" "--skip-files=''" "--timeout=600"
time="2024-10-06 06:21:29" level=info msg="downloading and installing inspector-sbomgen version latest" file="orchestrator.py:14"
time="2024-10-06 06:21:30" level=info msg="generating SBOM from artifact" file="orchestrator.py:18"
time="2024-10-06 06:21:30" level=info msg="Amazon Inspector SBOM Generator v1.5.0 - linux amd64 - Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved" file="cli.go:157:"
time="2024-10-06 06:21:30" level=info msg="[/usr/local/bin/inspector-sbomgen container --image xxx.dkr.ecr.ap-southeast-2.amazonaws.com/my-ecr-repo:e4ec5a89a346c47eb8f81af9a4109e0d7e436521 --outfile ./sbom_11199528445.json --disable-progress-bar --timeout 600]" file="cli.go:158:"
time="2024-10-06 06:21:30" level=info msg="writing log file to: /github/home/.inspector-sbomgen/logs/inspector-sbomgen-log_2024-10-06_06-21-30.txt" file="cli.go:159:"
time="2024-10-06 06:21:30" level=info msg="initializing target artifact" file="coreV1.go:77:"
time="2024-10-06 06:21:30" level=info msg="created temporary staging directory: /github/home/.inspector-sbomgen/artifact-cache17119907[37](https://github.com/bjss/example-ecs-fargate-pipeline/actions/runs/11199528445/job/31132001285#step:12:38)" file="stagingdir.go:62:"
time="2024-10-06 06:21:30" level=info msg="checking if image is a tarball" file="imageInit.go:28:"
time="2024-10-06 06:21:30" level=info msg="checking if image exists in the local Docker daemon" file="imageInit.go:37:"
time="2024-10-06 06:21:30" level=info msg="checking if image can be downloaded from a remote registry" file="imageInit.go:46:"
time="2024-10-06 06:21:30" level=info msg="downloading remote container image: xxxx.dkr.ecr.ap-southeast-2.amazonaws.com/my-ecr-repo:e4ec5a89a346c47eb8f81af9a4109e0d7e436521" file="imageInit.go:191:"
time="2024-10-06 06:21:31" level=info msg="cleaning up any file system artifacts" file="artifactContainer.go:202:"
time="2024-10-06 06:21:31" level=info msg="deleting staging directory; please wait" file="stagingdir.go:113:"
time="2024-10-06 06:21:31" level=info msg="deleted staging directory: /github/home/.inspector-sbomgen/artifact-cache1711990737" file="stagingdir.go:122:"
2024/10/06 06:21:31 [ImageDownloadFailed]: failed to load image from tarball, local, or remote sources: GET https://xxx.dkr.ecr.ap-southeast-2.amazonaws.com/v2/my-ecr-repo/manifests/e4ec5a89a346c47eb8f81af9a4109e0d7e436521: unexpected status code 401 Unauthorized: Not Authorized
time="2024-10-06 06:21:31" level=error msg="unable to generate SBOM with inspector-sbomgen" file="orchestrator.py:442"

Other Information

Please provide any additional information such as logs or screenshots.

I see the e4ec5a89a346c47eb8f81af9a4109e0d7e436521 in my ecr:

Screenshot 2024-10-06 at 5 31 48 PM
tnh commented 1 month ago

When just doing this build action:

      # build the image you wish to scan
      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          build-args: |
            GIT_SHA=${{ github.sha }}
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}

          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

(eg without any Platform) the scan works. Given I see the image in ECR, it seems to suggest that the problem is not understanding that it is a multi-arch image?

tnh commented 1 month ago

So I think the bug is somewhere within imageInit.go.

bluesentinelsec commented 1 month ago

Hello, thank you for submitting the issue. I understand you are having difficulty scanning a multi-arch image. Multi-arch images are unsupported by this action at this time.

I am presently researching this to determine the level of effort involved in supporting the feature. Additionally, I am exploring possible work-arounds for your consideration.

I will report back with additional guidance after I've validated work-arounds.

tnh commented 1 month ago

I'd imagine the only viable workaround would be to do this via some tagging standard. Eg ${ECR}:/${Some identifier}-${architecture}

      # build the image you wish to scan
      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          build-args: |
            GIT_SHA=${{ github.sha }}
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}-arm64
          load: true
          platforms: linux/amd64
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

          ...
bluesentinelsec commented 1 month ago

@tnh Hi there, I wanted to let you know that I was out most of last week with pneumonia - thank you for your continued patience. I'm resuming work on this feature again.

Now, I'm presently working on a PoC for supporting multi-arch images.

That said, I am interested in feedback for this use case if you have any to share. May I ask, how would you like to scan multi-arch images with this action or in general? Is it sufficient to add a new field that lets the user specify the image arch to scan? Something like this:

platform: "linux/amd64"
bluesentinelsec commented 1 month ago

Update: we have a pull request in progress that allows users to specify the container image platform they wish to scan:

https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/pull/102

We are planning on shipping this with our next release, ETA early November.

Feel free to let us know if you have questions or feedback.

ethanr-bjss commented 1 week ago

@bluesentinelsec Thanks for making that PR. Any update when this will be released? Would be fantastic for our workflow

bluesentinelsec commented 1 week ago

@ethanr-bjss Hello, thank you for the follow-up. Our intent is to publish a new release of this action within the next two weeks. We may adjust those timelines if we feel more testing is warranted.

bluesentinelsec commented 3 hours ago

@ethanr-bjss @tnh

We have released a new version of this Action that supports multi-arch images.

Please see here for details: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/releases/tag/v1.2.0

Please feel encouraged to open an issue if you encounter any problems or have feedback.

Thank you!

bluesentinelsec commented 3 hours ago

Marking this issue as resolved. Please re-open if this does not resolve your problem.