scan goreleaser nightly image with trivy

.github/workflows/lint.yaml

@@ -55,19 +55,53 @@ jobs:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/codeql@main"
 
-  trivy:
-    name: "Analyze with Trivy"
+  trivy-fs:
+    name: "Analyze FS with Trivy"
     runs-on: "ubuntu-latest"
     steps:
       - uses: "actions/checkout@v3"
-      - uses: "aquasecurity/trivy-action@0.9.0"
+      - uses: "aquasecurity/trivy-action@master"
         with:
           scan-type: "fs"
           ignore-unfixed: true
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL"
-      - name: "Upload Trivy scan results to GitHub Security tab"
-        uses: "github/codeql-action/upload-sarif@v2"
+          format: 'table'
+          exit-code: '1'
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+  trivy-image:
+    name: "Analyze Release Image with Trivy"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "authzed/actions/setup-go@main"
+        with:
+          go-version: "${{ env.GO_VERSION }}"
+      - name: "modify goreleaser config to skip building all targets"
+        run: |
+          echo "partial:
+            by: target" >> .goreleaser.yml
+      - name: "build image"
+        run: 'DOCKER_BUILDKIT=1 docker build --platform=linux/amd64 -t authzed/spicedb:scanme .'
+      - name: "image metadata"
+        run: 'docker image inspect authzed/spicedb:scanme'
+      - name: "run trivy"
+        run: 'docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image -d --platform linux/amd64 --format table --exit-code 0 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:scanme'
+      - name: "install trivy"
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.43.1/trivy_0.43.1_Linux-64bit.deb
+          sudo dpkg -i trivy_0.43.1_Linux-64bit.deb
+      - name: "run trivy"
+        run: 'trivy image -d --platform linux/amd64 --format table --exit-code 0 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:scanme'
+      - uses: "goreleaser/goreleaser-action@v4"
+        id: "goreleaser"
         with:
-          sarif_file: "trivy-results.sarif"
+          distribution: "goreleaser-pro"
+          version: "latest"
+          args: "release --clean --split --snapshot"
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
+      - name: "Obtain container image to scan"
+        run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64/metadata.json --raw-output)" >> $GITHUB_ENV'
+      - name: "run trivy manually"
+        run: 'docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64'

.goreleaser.yml

@@ -33,7 +33,7 @@ furies:
     secret_name: "GEMFURY_PUSH_TOKEN"
     skip: "{{ gt (len .Prerelease) 0 }}"
 brews:
-  - tap:
+  - repository:
       owner: "authzed"
       name: "homebrew-tap"
       token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"

Dockerfile

@@ -1,8 +1,8 @@
-FROM golang:1.20-alpine3.16 AS spicedb-builder
+FROM golang:1.20-alpine3.18 AS spicedb-builder
 WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 COPY . .
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build -v ./cmd/...
+RUN go build -v ./cmd/...
 
 FROM cgr.dev/chainguard/static:latest
 COPY --from=ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.12 /ko-app/grpc-health-probe /usr/local/bin/grpc_health_probe