Merge pull request #11324 from cBioPortal/docker-scout-ci

Integrate Docker Scout as part of security tests.
cBioPortal · Jan 3, 2025 · e345f8f · e345f8f
2 parents dc326dc + cd40cf2
commit e345f8f
Showing 1 changed file with 58 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -351,6 +351,57 @@ jobs:
         - store_artifacts:
             path: /tmp/repos/docker-compose-logs.txt
 
+    run_security_tests:
+      machine:
+        image: ubuntu-2204:2024.08.1
+        docker_layer_caching: true
+      resource_class: medium
+      environment:
+        BASE_REPO: cbioportal/cbioportal
+        DEV_REPO: cbioportal/cbioportal-dev
+      steps:
+        - run:
+            name: Install Docker Scout
+            command: |
+              curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /home/circleci/bin
+        - run:
+            name: Log in to Docker
+            command: |
+              echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin;
+        - run:
+            name: Wait for cbioportal docker images
+            command: |
+              URL="https://hub.docker.com/v2/repositories/$DEV_REPO/tags/$CIRCLE_SHA1-web-shenandoah"
+              while true; do
+                TAG_FOUND=$(curl -s $URL | jq -r .name)
+                if [ $TAG_FOUND = "$CIRCLE_SHA1-web-shenandoah" ]; then
+                  echo "Image found!"
+                  exit 0
+                fi
+                echo "Image not found yet. Waiting for API Tests to finish building. Retrying in 30 seconds..."
+                sleep 30
+              done
+        - run:
+            name: Run Docker Scout vulnerability test
+            command: |
+              BASE_IMAGE=$BASE_REPO:master-web-shenandoah
+              PR_IMAGE=$DEV_REPO:$CIRCLE_SHA1-web-shenandoah
+              OUTPUT_FORMAT='{severity: .cvss.severity, source_id: .source_id, vulnerable_range: .vulnerable_range, fixed_by: .fixed_by, url: .url, description: .description}'
+              SORT='sort_by(.severity | if . == "CRITICAL" then 0 elif . == "HIGH" then 1 elif . == "MEDIUM" then 2 elif . == "LOW" then 3 else 4 end)'
+              docker pull $BASE_IMAGE
+              docker pull $PR_IMAGE
+              docker-scout cves $BASE_IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > base_report.sbom
+              docker-scout cves $PR_IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > pr_report.sbom
+              DIFF=$(jq -s 'map(map(.source_id)) | .[0] - .[1]' pr_report.sbom base_report.sbom)
+              COUNT=$(echo $DIFF | jq 'length')
+              if [ "$COUNT" -gt 0 ]; then
+                printf "New vulnerabilities found: $COUNT\n"
+                jq '.[] | select(.source_id as $a | '"$DIFF"' | index($a))' pr_report.sbom
+                exit 1
+              else
+                echo "No new vulnerabilities found!"
+                exit 0
+              fi
 
 workflows:
     version: 2
@@ -384,4 +435,10 @@ workflows:
             context:
               - api-tests
             requires:
-              - build_push_image
+              - build_push_image
+
+    security_tests:
+      jobs:
+        - run_security_tests:
+            context:
+              - docker-scout