feat: add ironbank trivy scanning

coder · ericpaulsen · Feb 7, 2023 · Jan 31, 2023 · Jan 31, 2023 · Jan 31, 2023
commit 68abf63a1eeab05d5cc72a623ef20045345f40bf
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -92,6 +92,9 @@ jobs:
           restore-keys: |
             js-${{ runner.os }}-
 
+      - name: Install yq
+        run: go run github.com/mikefarah/yq/v4@v4.30.6
+
       - name: Build Coder linux amd64 Docker image
         id: build
         run: |
@@ -100,6 +103,17 @@ jobs:
           DOCKER_IMAGE_NO_PREREQUISITES=true make -j "$image_job"
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
+      - name: Build Coder linux amd64 Docker image (ironbank)
+        id: build-ironbank
+        run: |
+          set -euo pipefail
+          # NOTE: This is not a real image tag we publish.
+          image_tag="ghcr.io/coder/coder/ironbank:v$(./scripts/version.sh)"
+          ./scripts/ironbank/build_ironbank.sh \
+            --target "$image_tag" \
+            "build/coder_$(./scripts/version.sh)_linux_amd64"
+          echo "image=$image_tag" >> $GITHUB_OUTPUT
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
         with:
@@ -113,9 +127,24 @@ jobs:
         with:
           sarif_file: trivy-results.sarif
 
+      - name: Run Trivy vulnerability scanner (ironbank)
+        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        with:
+          image-ref: ${{ steps.build-ironbank.outputs.image }}
+          format: sarif
+          output: trivy-results-ironbank.sarif
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab (ironbank)
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results-ironbank.sarif
+
       - name: Upload Trivy scan results as an artifact
         uses: actions/upload-artifact@v2
         with:
           name: trivy
-          path: trivy-results.sarif
+          path: |
+            trivy-results.sarif
+            trivy-results-ironbank.sarif
           retention-days: 7
diff --git a/scripts/ironbank/.gitignore b/scripts/ironbank/.gitignore
@@ -1,3 +1,6 @@
 coder.tar.gz
 terraform.zip
 terraform-provider-coder.zip
+
+.terraform.zip.*
+.terraform-provider-coder.zip.*
diff --git a/scripts/ironbank/Dockerfile b/scripts/ironbank/Dockerfile
@@ -42,20 +42,22 @@ RUN echo "FIPS" >/etc/crypto-policies/config && \
     ln --symbolic --force /usr/share/crypto-policies/FIPS/openssl.txt /etc/crypto-policies/back-ends/openssl.config && \
     ln --symbolic --force /usr/share/crypto-policies/FIPS/opensslcnf.txt /etc/crypto-policies/back-ends/opensslcnf.config
 
-# Copy and extract Coder binary from tar file.
+# Copy and extract Coder binary from tar file. We have to put this in /opt to
+# match the Dockerfile.
 ARG CODER_BIN=/opt/coder
-RUN mkdir -p /opt
 ARG CODER_BIN_TAR_GZ=coder.tar.gz
 COPY "$CODER_BIN_TAR_GZ" /tmp/coder.tar.gz
-RUN tar -xzvf /tmp/coder.tar.gz --directory /opt --strip-components=1 ./coder && \
+RUN mkdir -p /opt && \
+		tar -xzvf /tmp/coder.tar.gz --directory /opt --strip-components=1 ./coder && \
     rm /tmp/coder.tar.gz
+ENV PATH="/opt:${PATH}"
 
 # Copy and extract Terraform binary from zip file.
 ARG TERRAFORM_BIN_DIR=/opt/terraform
-RUN mkdir -p "$TERRAFORM_BIN_DIR"
 ARG TERRAFORM_BIN_ZIP=terraform.zip
 COPY "$TERRAFORM_BIN_ZIP" /tmp/terraform.zip
-RUN unzip /tmp/terraform.zip -d "$CODER_BIN_DIR" && \
+RUN mkdir -p "$TERRAFORM_BIN_DIR" && \
+		unzip /tmp/terraform.zip -d "$TERRAFORM_BIN_DIR" && \
 	  rm /tmp/terraform.zip
 ENV PATH="${TERRAFORM_BIN_DIR}:${PATH}"
 

diff --git a/scripts/ironbank/build_ironbank.sh b/scripts/ironbank/build_ironbank.sh
@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+
+# This script builds the ironbank Docker image of Coder containing the given
+# binary. Other dependencies will be automatically downloaded and cached.
+#
+# Usage: ./build_ironbank.sh --target image_tag path/to/coder
+
+set -euo pipefail
+# shellcheck source=scripts/lib.sh
+source "$(dirname "${BASH_SOURCE[0]}")/../lib.sh"
+
+image_tag=""
+
+args="$(getopt -o "" -l target: -- "$@")"
+eval set -- "$args"
+while true; do
+	case "$1" in
+	--target)
+		image_tag="$2"
+		shift 2
+		;;
+	--)
+		shift
+		break
+		;;
+	*)
+		error "Unrecognized option: $1"
+		;;
+	esac
+done
+
+if [[ "$image_tag" == "" ]]; then
+	error "The --image-tag parameter is required"
+fi
+
+# Check dependencies
+dependencies docker sha256sum yq
+if [[ $(yq --version) != *" v4."* ]]; then
+	error "yq version 4 is required"
+fi
+
+if [[ "$#" != 1 ]]; then
+	error "Exactly one argument must be provided to this script, $# were supplied"
+fi
+if [[ ! -f "$1" ]]; then
+	error "File '$1' does not exist or is not a regular file"
+fi
+input_file="$(realpath "$1")"
+
+# Make temporary dir for Docker build context.
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+pushd "$(dirname "${BASH_SOURCE[0]}")"
+cp Dockerfile "$tmpdir/"
+cp terraform-filesystem-mirror.tfrc "$tmpdir/"
+popd
+
+# Create a coder.tar.gz file.
+execrelative ../archive.sh \
+	--format tar.gz \
+	--os linux \
+	--output "$tmpdir/coder.tar.gz" \
+	"$input_file"
+
+# Download all resources in the hardening_manifest.yaml file except for
+# coder.tar.gz (which we will make ourselves).
+manifest_path="$(dirname "${BASH_SOURCE[0]}")/hardening_manifest.yaml"
+resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
+while read -r line; do
+	filename="$(echo "$line" | cut -f1)"
+	url="$(echo "$line" | cut -f2)"
+	sha256_hash="$(echo "$line" | cut -f3)"
+
+	pushd "$(dirname "${BASH_SOURCE[0]}")"
+	target=".${filename}.${sha256_hash}"
+	if [[ ! -f "$target" ]]; then
+		log "Downloading $filename"
+		curl -sSL "$url" -o "$target"
+	fi
+
+	sum="$(sha256sum "$target" | cut -d' ' -f1)"
+	if [[ "$sum" != "$sha256_hash" ]]; then
+		rm "$target"
+		error "Downloaded $filename has hash $sum, but expected $sha256_hash"
+	fi
+	cp "$target" "$tmpdir/$filename"
+	popd
+done <<<"$resources"
+
+terraform_coder_provider_version="$(yq e '.args.TERRAFORM_CODER_PROVIDER_VERSION' "$manifest_path")"
+if [[ "$terraform_coder_provider_version" == "" ]]; then
+	error "TERRAFORM_CODER_PROVIDER_VERSION not found in hardening_manifest.yaml"
+fi
+
+# Build the image.
+pushd "$tmpdir"
+docker build \
+	--build-arg BASE_REGISTRY=registry.access.redhat.com \
+	--build-arg BASE_IMAGE=ubi8/ubi-minimal \
+	--build-arg BASE_TAG=8.7 \
+	--build-arg TERRAFORM_CODER_PROVIDER_VERSION="$terraform_coder_provider_version" \
+	-t "$image_tag" \
+	. >&2
+popd
+
+echo "$image_tag"
diff --git a/scripts/ironbank/hardening_manifest.yaml b/scripts/ironbank/hardening_manifest.yaml
@@ -12,8 +12,6 @@ tags:
 
 # Build args passed to Dockerfile ARGs
 args:
-  BASE_IMAGE: "redhat/ubi/ubi8"
-  BASE_TAG: "8.7"
   # Needs to be kept in sync with the resource below.
   TERRAFORM_CODER_PROVIDER_VERSION: "0.6.10"
 
@@ -48,11 +46,14 @@ resources:
       value: b8cf184dee15dfa89713fe56085313ab23db22e17284a9a27c0999c67ce3021e
   # Coder Terraform provider, bundled inside of Coder to support air-gapped
   # installs.
  #
+  # The version of this provider needs to be kept in sync with the
+  # TERRAFORM_CODER_PROVIDER_VERSION build arg.
   - url: https://github.com/coder/terraform-provider-coder/releases/download/v0.6.10/terraform-provider-coder_0.6.10_linux_amd64.zip
     filename: "terraform-provider-coder.zip"
     validation:
       type: sha256
-      value: de6db7814d4995938dcfa46a6d5b28bf9efb095fecf737285f52cfd4c85948c5
+      value: 4c2a16010621e146251f6fb5e27105dde9213d85ca8f3c8866c3f5a4159b81b0
 
 # List of project maintainers
 maintainers:

diff --git a/scripts/lib.sh b/scripts/lib.sh
@@ -39,7 +39,7 @@ realpath() {
 }
 
 # We have to define realpath before these otherwise it fails on Mac's bash.
-SCRIPT_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
+SCRIPT_DIR="$(realpath "$(dirname "${BASH_SOURCE[1]}")")"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR" && realpath "$(git rev-parse --show-toplevel)")"
 
 # pushd is a silent alternative to the real pushd shell command.