ory · tricky42 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024
@@ -1,5 +1,6 @@
 name: Docker Image Scanners
 on:
+  workflow_dispatch:
   push:
     branches:
       - "master"
@@ -8,32 +9,70 @@ on:
   pull_request:
     branches:
       - "master"
-  merge_group:
+
+permissions:
+  contents: read
+  security-events: write
 
 jobs:
   scanners:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup Env
         id: vars
         shell: bash
         run: |
-          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
+          # Store values in local variables
+          SHA_SHORT=$(git rev-parse --short HEAD)
+          REPO_NAME=${{ github.event.repository.name }}
+
+          # Append -sqlite to SHA_SHORT if repo is hydra
+          if [ "${REPO_NAME}" = "hydra" ]; then
+            echo "Repo is hydra, appending -sqlite to SHA_SHORT"
+            IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite"
+          else
+            echo "Repo is not hydra, using default IMAGE_NAME"
+            IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}"
+          fi
+
+          # Output values for debugging
+          echo "Values to be set:"
+          echo "SHA_SHORT:  ${SHA_SHORT}"
+          echo "REPO_NAME:  ${REPO_NAME}"
+          echo "IMAGE_NAME: ${IMAGE_NAME}"
+
+          # Set GitHub Environment variables
+          echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}"
+          echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Build images
         shell: bash
         run: |
           IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Trivy
+        run: |
+          mkdir -p $HOME/.cache/trivy
+          echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV
+          echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+
       - name: Anchore Scanner
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v5
         id: grype-scan
         with:
-          image: oryd/keto:${{ env.SHA_SHORT }}
+          image: ${{ env.IMAGE_NAME }}
           fail-build: true
           severity-cutoff: high
           add-cpes-if-none: true
@@ -46,34 +85,41 @@ jobs:
           echo "::endgroup::"
       - name: Anchore upload scan SARIF report
         if: always()
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
-      #      - name: Kubescape scanner
-      #        uses: kubescape/github-action@main
-      #        id: kubescape
-      #        with:
-      #          image: oryd/keto:${{ env.SHA_SHORT }}
-      #          verbose: true
-      #          format: pretty-printer
-      #          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
-      #          severityThreshold: critical
+      - name: Kubescape scanner
+        uses: kubescape/github-action@main
+        id: kubescape
+        with:
+          image: ${{ env.IMAGE_NAME }}
+          verbose: true
+          format: pretty-printer
+          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
+          severityThreshold: critical
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/keto:${{ env.SHA_SHORT }}
+          image-ref: ${{ env.IMAGE_NAME }}
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
-          scanners: "vuln,secret,config"
+          scanners: "vuln,secret,misconfig"
+        env:
+          TRIVY_SKIP_JAVA_DB_UPDATE: "true"
+          TRIVY_DISABLE_VEX_NOTICE: "true"
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+
+
+
       - name: Dockle Linter
-        uses: erzz/dockle-action@v1.3.2
+        uses: erzz/dockle-action@v1
         if: ${{ always() }}
         with:
-          image: oryd/keto:${{ env.SHA_SHORT }}
+          image: ${{ env.IMAGE_NAME }}
           exit-code: 42
           failure-threshold: high
       - name: Hadolint
@@ -90,5 +136,5 @@ jobs:
         shell: bash
         run: |
           echo "::group::Hadolint Scan Details"
-          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "${HADOLINT_RESULTS}" | jq '.'
           echo "::endgroup::"
diff --git a/internal/check/handler_test.go b/internal/check/handler_test.go
 	}()
 	t.Cleanup(s.Stop)

 	conn, err := grpc.Dial("bufnet",
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) { return l.Dial() }),
 	)
diff --git a/contrib/docs-code-samples/list-api-display-objects/02-list-coffee-break/main.go b/contrib/docs-code-samples/list-api-display-objects/02-list-coffee-break/main.go
 )

 func main() {
 	conn, err := grpc.Dial("127.0.0.1:4466", grpc.WithTransportCredentials(insecure.NewCredentials()))
 	if err != nil {
 		panic(err.Error())
 	}
diff --git a/internal/schema/handler_test.go b/internal/schema/handler_test.go
 		}()
 		t.Cleanup(s.Stop)

 		conn, err := grpc.Dial("bufnet",
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
 			grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) { return l.Dial() }),
 		)
diff --git a/internal/e2e/grpc_client_test.go b/internal/e2e/grpc_client_test.go
 	ctx, cancel := context.WithTimeout(g.ctx, 3*time.Second)
 	defer cancel()

 	conn, err := grpc.DialContext(ctx, remote, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock(), grpc.WithDisableHealthCheck())
 	require.NoError(t, err)

 	return conn
 	resp, err := c.ListRelationTuples(g.ctx, &rts.ListRelationTuplesRequest{
 		RelationQuery: g.createQuery(q),
 		PageToken:     pagination.Token,
 		PageSize:      int32(pagination.Size),
 	})
 	require.NoError(t, err)

 	_, err := c.ListRelationTuples(g.ctx, &rts.ListRelationTuplesRequest{
 		RelationQuery: g.createQuery(q),
 		PageToken:     pagination.Token,
 		PageSize:      int32(pagination.Size),
 	})
 	require.Error(t, err)
 	s, ok := status.FromError(err)

 	resp, err := c.Expand(g.ctx, &rts.ExpandRequest{
 		Subject:  rts.NewSubjectSet(r.Namespace, r.Object, r.Relation),
 		MaxDepth: int32(depth),
 	})
 	require.NoError(t, err)

diff --git a/internal/driver/config/opl_cache_test.go b/internal/driver/config/opl_cache_test.go
 	hits := 0
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		hits++
 		io.WriteString(w, testOPL)
 	}))
 	t.Cleanup(ts.Close)
 	ctx := context.Background()
diff --git a/internal/schema/parse_errors.go b/internal/schema/parse_errors.go
 	return &opl.ParseError{
 		Message: e.msg,
 		Start: &opl.SourcePosition{
 			Line:   uint32(start.Line),
 			Column: uint32(start.Col),
 		},
 		End: &opl.SourcePosition{
 			Line:   uint32(end.Line),
	}()
	t.Cleanup(s.Stop)

	conn, err := grpc.Dial("bufnet",
Check failure on line 323 in internal/check/handler_test.go GitHub Actions / Run lints and checks `SA1019: grpc.Dial is deprecated: use NewClient instead. Will be supported throughout 1.x. (staticcheck)`
	grpc.WithTransportCredentials(insecure.NewCredentials()),
	grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) { return l.Dial() }),
	)
	)

	func main() {
	conn, err := grpc.Dial("127.0.0.1:4466", grpc.WithTransportCredentials(insecure.NewCredentials()))
Check failure on line 20 in contrib/docs-code-samples/list-api-display-objects/02-list-coffee-break/main.go GitHub Actions / Run lints and checks `SA1019: grpc.Dial is deprecated: use NewClient instead. Will be supported throughout 1.x. (staticcheck)`
	if err != nil {
	panic(err.Error())
	}
	}()
	t.Cleanup(s.Stop)

	conn, err := grpc.Dial("bufnet",
Check failure on line 65 in internal/schema/handler_test.go GitHub Actions / Run lints and checks `SA1019: grpc.Dial is deprecated: use NewClient instead. Will be supported throughout 1.x. (staticcheck)`
	grpc.WithTransportCredentials(insecure.NewCredentials()),
	grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) { return l.Dial() }),
	)
	ctx, cancel := context.WithTimeout(g.ctx, 3*time.Second)
	defer cancel()

	conn, err := grpc.DialContext(ctx, remote, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock(), grpc.WithDisableHealthCheck())
Check failure on line 49 in internal/e2e/grpc_client_test.go GitHub Actions / Run lints and checks `SA1019: grpc.DialContext is deprecated: use NewClient instead. Will be supported throughout 1.x. (staticcheck)`
	require.NoError(t, err)

	return conn
	resp, err := c.ListRelationTuples(g.ctx, &rts.ListRelationTuplesRequest{
	RelationQuery: g.createQuery(q),
	PageToken: pagination.Token,
	PageSize: int32(pagination.Size),
Check failure on line 101 in internal/e2e/grpc_client_test.go GitHub Actions / Run lints and checks `G115: integer overflow conversion int -> int32 (gosec)`
	})
	require.NoError(t, err)

	_, err := c.ListRelationTuples(g.ctx, &rts.ListRelationTuplesRequest{
	RelationQuery: g.createQuery(q),
	PageToken: pagination.Token,
	PageSize: int32(pagination.Size),
Check failure on line 124 in internal/e2e/grpc_client_test.go GitHub Actions / Run lints and checks `G115: integer overflow conversion int -> int32 (gosec)`
	})
	require.Error(t, err)
	s, ok := status.FromError(err)

	resp, err := c.Expand(g.ctx, &rts.ExpandRequest{
	Subject: rts.NewSubjectSet(r.Namespace, r.Object, r.Relation),
	MaxDepth: int32(depth),
Check failure on line 215 in internal/e2e/grpc_client_test.go GitHub Actions / Run lints and checks `G115: integer overflow conversion int -> int32 (gosec)`
	})
	require.NoError(t, err)
	hits := 0
	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	hits++
	io.WriteString(w, testOPL)
Check failure on line 22 in internal/driver/config/opl_cache_test.go GitHub Actions / Run lints and checks Error return value of `io.WriteString` is not checked (errcheck)
	}))
	t.Cleanup(ts.Close)
	ctx := context.Background()
	return &opl.ParseError{
	Message: e.msg,
	Start: &opl.SourcePosition{
	Line: uint32(start.Line),
Check failure on line 87 in internal/schema/parse_errors.go GitHub Actions / Run lints and checks `G115: integer overflow conversion int -> uint32 (gosec)`
	Column: uint32(start.Col),
Check failure on line 88 in internal/schema/parse_errors.go GitHub Actions / Run lints and checks `G115: integer overflow conversion int -> uint32 (gosec)`
	},
	End: &opl.SourcePosition{
	Line: uint32(end.Line),