Merge branch 'main' into ray/docker-scan

Turn off image scan on PRs
Add runtime flavor to trivy tool name
2026-04-29 03:00:45 -04:00 · 2025-09-24 16:39:16 -05:00 · 2025-09-23 20:56:07 -05:00 · 2025-09-23 20:38:43 -05:00 · 2025-09-23 20:19:56 -05:00 · 2025-09-23 20:07:56 -05:00
1 changed files with 77 additions and 6 deletions
--- a/.github/workflows/ghcr-build.yml
+++ b/.github/workflows/ghcr-build.yml
@@ -59,6 +59,7 @@ jobs:
    permissions:
      contents: read
      packages: write
+      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -85,14 +86,35 @@ jobs:
        run: |
          ./containers/build.sh -i openhands -o ${{ env.REPO_OWNER }} --push

+      - name: Run Trivy vulnerability scanner
+        if: github.event_name != 'pull_request'
+        uses: aquasecurity/trivy-action@master
+        # This only reports, does not fail the build on CVE.
+        with:
+          image-ref: ghcr.io/${{ env.REPO_OWNER }}/openhands:${{ env.RELEVANT_SHA }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          timeout: '10m'
+          scanners: 'vuln'  # Only scan vulnerabilities, not secrets/config
+          severity: 'CRITICAL,HIGH,MEDIUM'  # Skip LOW severity
+
+      - name: Upload Trivy results to GitHub Security tab
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'security/container-openhands-${{ matrix.base_image.tag }}'
+          sha: "${{ env.RELEVANT_SHA }}"
+          ref: refs/heads/${{ github.event.pull_request.head.ref || github.ref_name }}
  # Builds the runtime Docker images
  ghcr_build_runtime:
-    name: Build Image
+    name: Build Runtime Image
    runs-on: blacksmith-8vcpu-ubuntu-2204
    if: "!(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/ext-v'))"
    permissions:
      contents: read
      packages: write
+      security-events: write
    needs: define-matrix
    strategy:
      matrix:
@@ -166,12 +188,41 @@ jobs:
          name: runtime-src-${{ matrix.base_image.tag }}
          path: containers/runtime

+      - name: Run Trivy vulnerability scanner
+        if: github.event_name != 'pull_request'
+        uses: aquasecurity/trivy-action@master
+        # This only reports, does not fail the build on CVE.
+        with:
+          image-ref: ghcr.io/${{ env.REPO_OWNER }}/runtime:${{ env.RELEVANT_SHA }}-${{ matrix.base_image.tag }}
+          format: 'sarif'
+          output: 'trivy-results-raw.sarif'
+          timeout: '10m'
+          scanners: 'vuln'  # Only scan vulnerabilities, not secrets/config
+          severity: 'CRITICAL,HIGH,MEDIUM'  # Skip LOW severity
+      - name: Customize SARIF with image flavor
+        if: github.event_name != 'pull_request'
+        run: |
+          # Modify the tool name to include the image flavor
+          jq --arg flavor "${{ matrix.base_image.tag }}" \
+            '.runs[0].tool.driver.name = "Trivy (" + $flavor + ")"' \
+            trivy-results-raw.sarif > trivy-results.sarif
+
+          echo "Modified tool name to: $(jq -r '.runs[0].tool.driver.name' trivy-results.sarif)"
+
+      - name: Upload Trivy results to GitHub Security tab
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'security/container-runtime-${{ matrix.base_image.tag }}'
+
  ghcr_build_enterprise:
-    name: Push Enterprise Image
+    name: Build Enterprise Image
    runs-on: blacksmith-8vcpu-ubuntu-2204
    permissions:
      contents: read
      packages: write
+      security-events: write
    needs: [define-matrix, ghcr_build_app]
    # Do not build enterprise in forks
    if: github.event.pull_request.head.repo.fork != true
@@ -211,14 +262,16 @@ jobs:
            latest=auto
            prefix=
            suffix=
+        env:
+          DOCKER_METADATA_PR_HEAD_SHA: true
      - name: Determine app image tag
        shell: bash
        run: |
          # Duplicated with build.sh
-          sanitized_ref_name=$(echo "$GITHUB_REF_NAME" | sed 's/[^a-zA-Z0-9.-]\+/-/g')
-          OPENHANDS_BUILD_VERSION=$sanitized_ref_name
+          sanitized_ref_name=$(echo "${{github.event.pull_request.head.sha}}" | sed 's/[^a-zA-Z0-9.-]\+/-/g')
          sanitized_ref_name=$(echo "$sanitized_ref_name" | tr '[:upper:]' '[:lower:]') # lower case is required in tagging
-          echo "OPENHANDS_DOCKER_TAG=${sanitized_ref_name}" >> $GITHUB_ENV
+          echo "OPENHANDS_BUILD_VERSION=${sanitized_ref_name}" >> $GITHUB_ENV
+          echo REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
      - name: Build and push Docker image
        uses: useblacksmith/build-push-action@v1
        with:
@@ -228,12 +281,30 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
-            OPENHANDS_VERSION=${{ env.OPENHANDS_DOCKER_TAG }}
+            OPENHANDS_VERSION=${{ env.OPENHANDS_BUILD_VERSION }}
          platforms: linux/amd64
          # Add build provenance
          provenance: true
          # Add build attestations for better security
          sbom: true
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: github.event_name != 'pull_request'
+        # This only reports, does not fail the build on CVE.
+        with:
+          image-ref: "ghcr.io/${{ env.REPO_OWNER }}/enterprise-server:sha-${{ env.RELEVANT_SHA }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          timeout: '10m'
+          scanners: 'vuln'  # Only scan vulnerabilities, not secrets/config
+          severity: 'CRITICAL,HIGH,MEDIUM'  # Skip LOW severity
+
+      - name: Upload Trivy results to GitHub Security tab
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'security/container-enterprise-server'

  enterprise-preview:
    name: Enterprise preview
Author	SHA1	Message	Date
Ray Myers	52af260b2f	Merge branch 'main' into ray/docker-scan	2025-09-24 16:39:16 -05:00
Ray Myers	e47548bc98	Turn off image scan on PRs	2025-09-23 20:56:07 -05:00
Ray Myers	dbd282117c	Add runtime flavor to trivy tool name	2025-09-23 20:38:43 -05:00
Ray Myers	edf955f1b4	Add security-events permissions	2025-09-23 20:19:56 -05:00
Ray Myers	236228f7e5	Fix ref again	2025-09-23 20:07:56 -05:00
Ray Myers	6f4437cffa	Add ref	2025-09-23 20:02:19 -05:00
Ray Myers	5a98aba912	Set sha	2025-09-23 19:56:41 -05:00
Ray Myers	602fd6c19d	Make scans faster, increase timeout, add app image scan	2025-09-23 19:30:05 -05:00
Ray Myers	d92f5dfcf3	Lowercase repo owner in enterprise image	2025-09-23 18:44:40 -05:00
Ray Myers	8f2e1424a4	Enable DOCKER_METADATA_PR_HEAD_SHA	2025-09-23 18:36:57 -05:00
Ray Myers	a57ccef287	fix yaml syntax	2025-09-23 18:26:22 -05:00
Ray Myers	e206545db4	FIx enterprise docker tag sha	2025-09-23 18:20:39 -05:00
Ray Myers	244752d75b	Tag with sha not ref env	2025-09-23 18:08:30 -05:00
Ray Myers	caa2516875	Upload docker scan findings to separate categories	2025-09-23 17:25:08 -05:00
Ray Myers	5f4f9e17ab	Fix scan image tag	2025-09-23 17:14:54 -05:00
Ray Myers	ba888c48ef	chore - Add docker CVE scan for runtime and enterprise images	2025-09-23 16:42:33 -05:00