sozercan · sozercan · Feb 18, 2025 · Feb 18, 2025
diff --git a/Dockerfile.local-test b/Dockerfile.local-test
@@ -0,0 +1 @@
+FROM ubuntu:focal-20200925
diff --git a/patch-action-containerd-local.yaml b/patch-action-containerd-local.yaml
@@ -0,0 +1,88 @@
+name: Patch vulnerable images (Action Local Containerd)
+on:
+  workflow_dispatch:
+jobs:
+  patch:
+    runs-on: ubuntu-latest
+    # used for pushing patched image to GHCR
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker
+        uses: crazy-max/ghaction-setup-docker@v3
+        with:
+          daemon-config: |
+              {
+              "debug": true,
+              "experimental": true,
+                  "features": {
+                  "containerd-snapshotter": true
+                  }
+              }
+
+      - name: Build Docker image
+        run: |
+          docker build -t focal:20200925 -f Dockerfile.local-test .
+
+        # install jq for parsing JSON
+      # generate trivy report for fixable OS package vulnerabilities
+      - name: Generate Trivy Report
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
+        with:
+          scan-type: "image"
+          format: "json"
+          output: "report.json"
+          ignore-unfixed: true
+          vuln-type: "os"
+          image-ref: focal:latest
+
+        # check whether there are any OS package vulnerabilities
+      - name: Check vulnerability count
+        id: vuln_count
+        run: |
+          report_file="report.json"
+          vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file")
+          echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
+
+      - name: Get socket path
+        run: |
+          url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
+          socket_path=$(echo "$url" | awk -F// '{print $2}')
+          echo "$socket_path"
+          echo "SOCKET=$socket_path" >> $GITHUB_ENV
+
+        # copa action will only run if there are vulnerabilities
+      - name: Run Copa action
+        if: steps.vuln_count.outputs.vuln_count != '0'
+        id: copa
+        uses: project-copacetic/[email protected]
+        with:
+          image: "focal:20200925"
+          image-report: "report.json"
+          patched-tag: "patched"
+          timeout: 5m
+          custom-socket: ${SOCKET}
+          output: out.json
+
+      - run: sudo cat out.json
+
+      #   # see https://github.com/docker/login-action#usage for other registries
+      # - name: Login to GHCR
+      #   if: steps.copa.conclusion == 'success'
+      #   id: login
+      #   uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      #   with:
+      #     registry: ghcr.io
+      #     username: ${{ github.actor }}
+      #     password: ${{ secrets.GITHUB_TOKEN }}
+
+      # - name: Push patched image
+      #   if: steps.login.conclusion == 'success'
+      #   run: |
+      #     # retag if needed
+      #     docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}
+      #     docker push ghcr.io/project-copacetic/copa-action/test/${{ steps.copa.outputs.patched-image }}