From 075e711edafd5995d5bfd47d41563e06f85a02df Mon Sep 17 00:00:00 2001
From: Paul Abel <p.abel@f5.com>
Date: Fri, 14 Jun 2024 09:35:12 +0100
Subject: [PATCH 1/5] add docker scout scan to pipelines

---
 .github/workflows/build-oss.yml  | 37 ++++++++++++++++++++++++++------
 .github/workflows/build-plus.yml | 37 ++++++++++++++++++++++++--------
 2 files changed, 58 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index 8d5fbce4cc..3cd85be221 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -47,6 +47,10 @@ jobs:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       id-token: write # for OIDC login to GCR
       packages: write # for docker/build-push-action to push to GHCR
+      pull-requests: write # for scout report
+    outputs:
+      version: ${{ steps.meta.outputs.version }}
+      image_digest: ${{ steps.build-push.outputs.digest }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
@@ -175,27 +179,46 @@ jobs:
             IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
         if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
 
+      - name: Make directory for security scan results
+        run: |
+          mkdir -p "${{ inputs.image }}-results/"
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
         continue-on-error: true
         with:
           image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
           format: "sarif"
-          output: "trivy-results-${{ inputs.image }}.sarif"
+          output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
+        continue-on-error: true
+        with:
+          command: cves,recommendations
+          image: ${{ steps.meta.outputs.tags }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ inputs.image }}-results/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
+
+      - name: Upload Trivy/Scout scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
         continue-on-error: true
         with:
-          sarif_file: "trivy-results-${{ inputs.image }}.sarif"
+          sarif_file: "${{ inputs.image }}-results/"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Upload Scan Results
+      - name: Upload Scan Results to the cache
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         continue-on-error: true
         with:
-          name: "trivy-results-${{ inputs.image }}.sarif"
-          path: "trivy-results-${{ inputs.image }}.sarif"
-        if: always()
+          name: "${{ inputs.image }}-results"
+          path: "${{ inputs.image }}-results/"
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index db5d2acbcf..f9f4d8246c 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -195,8 +195,12 @@ jobs:
             ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
         if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
 
-      - name: Extract image name for Trivy
-        id: trivy-tag
+      - name: Make directory for security scan results
+        run: |
+          mkdir -p "${{ inputs.image }}-results/"
+
+      - name: Extract image name for Scans
+        id: scan-tag
         run: |
           tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
           echo "tag=$tag" >> $GITHUB_OUTPUT
@@ -206,23 +210,38 @@ jobs:
         uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
         continue-on-error: true
         with:
-          image-ref: ${{ steps.trivy-tag.outputs.tag }}
+          image-ref: ${{ steps.scan-tag.outputs.tag }}
           format: "sarif"
-          output: "trivy-results-${{ inputs.image }}.sarif"
+          output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
+        continue-on-error: true
+        with:
+          command: cves,recommendations
+          image: ${{ steps.scan-tag.outputs.tag }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ inputs.image }}-results/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
+
+      - name: Upload Security scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
         continue-on-error: true
         with:
-          sarif_file: "trivy-results-${{ inputs.image }}.sarif"
+          sarif_file: "${{ inputs.image }}-results/"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
       - name: Upload Scan Results
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         continue-on-error: true
         with:
-          name: "trivy-results-${{ inputs.image }}.sarif"
-          path: "trivy-results-${{ inputs.image }}.sarif"
-        if: always()
+          name: "${{ inputs.image }}-results"
+          path: "${{ inputs.image }}-results/"
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

From ef2977ad02d27e13aa9282c6938cb6b562d8bfb4 Mon Sep 17 00:00:00 2001
From: Paul Abel <p.abel@f5.com>
Date: Wed, 19 Jun 2024 10:51:06 +0100
Subject: [PATCH 2/5] give docker scout permissions to write summary

---
 .github/workflows/build-base-images.yml | 9 +++++++++
 .github/workflows/build-plus.yml        | 1 +
 .github/workflows/cache-update.yml      | 3 +++
 .github/workflows/ci.yml                | 4 ++++
 .github/workflows/image-promotion.yml   | 3 +++
 5 files changed, 20 insertions(+)

diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
index 969c0d0a4e..095fce75c6 100644
--- a/.github/workflows/build-base-images.yml
+++ b/.github/workflows/build-base-images.yml
@@ -41,6 +41,9 @@ jobs:
     name: Build OSS base images
     runs-on: ubuntu-22.04
     needs: checks
+    permissions:
+      contents: read
+      pull-requests: write # for scout report
     strategy:
       fail-fast: false
       matrix:
@@ -108,6 +111,9 @@ jobs:
     name: Build Plus base images
     runs-on: ubuntu-22.04
     needs: checks
+    permissions:
+      contents: read
+      pull-requests: write # for scout report
     strategy:
       fail-fast: false
       matrix:
@@ -177,6 +183,9 @@ jobs:
     name: Build Plus NAP base images
     runs-on: ubuntu-22.04
     needs: checks
+    permissions:
+      contents: read
+      pull-requests: write # for scout report
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index f9f4d8246c..a8af8d0f67 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -51,6 +51,7 @@ jobs:
       contents: read # for docker/build-push-action to read repo content
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       id-token: write # for OIDC login to AWS
+      pull-requests: write # for scout report
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repository
diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml
index 33fda78f6f..55f3fbde22 100644
--- a/.github/workflows/cache-update.yml
+++ b/.github/workflows/cache-update.yml
@@ -60,6 +60,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-plus:
@@ -89,6 +90,7 @@ jobs:
       contents: read
       security-events: write
       id-token: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-nap:
@@ -161,4 +163,5 @@ jobs:
       contents: read
       security-events: write
       id-token: write
+      pull-requests: write # for scout report
     secrets: inherit
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fe123a6931..b9538a1b7a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -303,6 +303,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-plus:
@@ -333,6 +334,7 @@ jobs:
       contents: read
       security-events: write
       id-token: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-nap:
@@ -406,6 +408,7 @@ jobs:
       contents: read
       security-events: write
       id-token: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   helm-tests:
@@ -774,5 +777,6 @@ jobs:
       actions: read
       packages: write # for helm to push to GHCR
       security-events: write
+      pull-requests: write # for scout report
     uses: ./.github/workflows/image-promotion.yml
     if: ${{ inputs.force && inputs.force || false }}
diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml
index af1e55dbed..80725d943b 100644
--- a/.github/workflows/image-promotion.yml
+++ b/.github/workflows/image-promotion.yml
@@ -173,6 +173,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-plus:
@@ -205,6 +206,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   build-docker-nap:
@@ -280,6 +282,7 @@ jobs:
       security-events: write
       id-token: write
       packages: write
+      pull-requests: write # for scout report
     secrets: inherit
 
   tag-stable:

From c23e8496abd4fb4dc9648b7dd7802a3eaf2eb4ce Mon Sep 17 00:00:00 2001
From: Eoin O'Shaughnessy <e.oshaughnessy@f5.com>
Date: Wed, 19 Jun 2024 11:54:30 +0100
Subject: [PATCH 3/5] image updates

---
 build/Dockerfile | 2 +-
 tests/Dockerfile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/Dockerfile b/build/Dockerfile
index 20aaa3b4a5..55017d3635 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -15,7 +15,7 @@ FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c763
 FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 as alpine-fips-3.17
 FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc as alpine-fips-3.19
 FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal
-FROM golang:1.22-alpine@sha256:9bdd5692d39acc3f8d0ea6f81327f87ac6b473dd29a2b6006df362bff48dd1f8 as golang-builder
+FROM golang:1.22-alpine@sha256:6522f0ca555a7b14c46a2c9f50b86604a234cdc72452bf6a268cae6461d9000b as golang-builder
 
 
 ############################################# Base image for Alpine #############################################
diff --git a/tests/Dockerfile b/tests/Dockerfile
index 6e721e87e8..57bffe74b5 100644
--- a/tests/Dockerfile
+++ b/tests/Dockerfile
@@ -5,7 +5,7 @@ FROM kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a79
 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date
 FROM quay.io/skopeo/stable:v1.15.1
 
-FROM python:3.12@sha256:00389e020fe42a6c74a8f091ce9b28324422d084efdff26eabe93bc4ae9a110b
+FROM python:3.12@sha256:4584ea46d313a10e849eb7c5ef36be14773418233516ceaa9e52a8ff7d5e35a5
 
 RUN apt-get update \
 	&& apt-get install -y curl git \

From e41ed7a7ed5ddab9d35e60c13fcd54e4a8812357 Mon Sep 17 00:00:00 2001
From: Eoin O'Shaughnessy <e.oshaughnessy@f5.com>
Date: Wed, 19 Jun 2024 13:32:12 +0100
Subject: [PATCH 4/5] add login for docker scout

---
 .github/workflows/build-oss.yml  | 7 +++++++
 .github/workflows/build-plus.yml | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index 3cd85be221..c8e088a66e 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -193,6 +193,13 @@ jobs:
           ignore-unfixed: "true"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
+
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
         uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index a8af8d0f67..f5d884d65c 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -217,6 +217,13 @@ jobs:
           ignore-unfixed: "true"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
+
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
         uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3

From d41f087620923f4fd9a843312845be6dad8cd45a Mon Sep 17 00:00:00 2001
From: Eoin O'Shaughnessy <e.oshaughnessy@f5.com>
Date: Wed, 19 Jun 2024 13:50:48 +0100
Subject: [PATCH 5/5] remove upload to security tab

---
 .github/workflows/build-oss.yml  | 7 -------
 .github/workflows/build-plus.yml | 7 -------
 2 files changed, 14 deletions(-)

diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index c8e088a66e..ef4e34a801 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -215,13 +215,6 @@ jobs:
           summary: true
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Upload Trivy/Scout scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
-        continue-on-error: true
-        with:
-          sarif_file: "${{ inputs.image }}-results/"
-        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
-
       - name: Upload Scan Results to the cache
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         continue-on-error: true
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index f5d884d65c..2724f1226e 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -239,13 +239,6 @@ jobs:
           summary: true
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Upload Security scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
-        continue-on-error: true
-        with:
-          sarif_file: "${{ inputs.image }}-results/"
-        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
-
       - name: Upload Scan Results
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         continue-on-error: true