Introduce Official Bandit Images #1088
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| name: Build and Publish Bandit Images | ||
|
|
||
| on: | ||
| release: | ||
| types: [created] | ||
| schedule: | ||
| - cron: '0 0 * * 0' # Every Sunday at midnight | ||
|
|
||
| jobs: | ||
| build-and-publish: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Log in to GitHub Container Registry | ||
| uses: docker/login-action@v3 | ||
|
There was a problem hiding this comment. Can we use hashes here? I believe the OSSF score card prefers those and dependabot will still properly send updates for them. There was a problem hiding this comment. Sure, I will pass https://github.com/stacklok/frizbee against this I was planning on introducing https://github.com/stacklok/minder at some point too, but we can discuss that on discord. With minder, we replace tags with digests as a remediation step. |
||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Install Cosign | ||
| uses: sigstore/cosign-installer@v3.3.0 | ||
| with: | ||
| cosign-release: 'v2.2.2' | ||
|
|
||
| - name: Build and push Docker image | ||
| id: build-and-push | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| file: ./docker/Dockerfile | ||
| push: true | ||
| tags: ghcr.io/${{ github.repository }}/bandit:latest | ||
|
There was a problem hiding this comment. We can specify a list here, do we want to try to do that? For example, we could do use the current date too so that we're tagging both latest and the current date, e.g., There was a problem hiding this comment. I also don't see us including the version of Bandit here but maybe that's because we are using the same action on a schedule and for releases? There was a problem hiding this comment. Oh, also, if we're doing this on a schedule like this, does that mean we're publishing the head of There was a problem hiding this comment. That is actually a very good point, with a schedule we end up pushing main and not a release (I am not at my best this morning!). Let me dwell on if there is a better method for this (I am not sure there is) unless we get into trying to predict what the last release was There was a problem hiding this comment. I also thought it best to not use bandit releases, latest should always be usable. There was a problem hiding this comment. I wonder, also if we want to add labels here to the image, e.g., If we're running a schedule, could we find the latest tag, check that out and rebuild? I assume the scheduled rebuild is to address vulnerabilities in the base image like I raised as a concern? There was a problem hiding this comment. Getting back on to this , apologies for the haitus.
Yes, this rebuild the entire image every sunday at midnight. This covers off any CVEs in the base image that have collected since our last release. I am going to push another commit now with a workflow_dispatch. this will allow us to manually start the action if anything particular comes out nasty between the scheduled runs. |
||
| platforms: linux/amd64, linux/arm64, linux/arm/v7, linux/arm/v8 | ||
|
|
||
| - name: Sign the image | ||
| env: | ||
| TAGS: ghcr.io/${{ github.repository }}/bandit:latest | ||
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
| run: | | ||
| echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| FROM python:3.12-alpine | ||
|
|
||
| # Install Git (required for pbr versioning) | ||
| RUN apk add --no-cache git | ||
|
|
||
| # Copy the source code into the container | ||
| COPY . /bandit | ||
|
|
||
| # Set the working directory | ||
| WORKDIR /bandit | ||
|
|
||
| # Install Bandit from the source code using pip | ||
| RUN pip install . | ||
|
|
||
| # Define entrypoint and default command | ||
| ENTRYPOINT ["bandit"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we also want to do this in a specific environment for the project to make it harder for untrusted folks to publish? https://github.com/urllib3/urllib3/blob/8beb3502cf6c945485174d96d90f2f5e5929bcbd/.github/workflows/publish.yml#L15-L16 I believe urllib3 has it such that only a handful of the core maintainers can actually publish a release. I need to see if I can find Seth's blog post on the benefits
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good
Could we take this as a follow up?