[trivy] Include vizier and cloud dependency images in image scan (#2231)

ddelnano · web-flow · commit 0a0ffb6863dc · 2025-07-16T12:31:57.000-07:00
Summary: [trivy] Include vizier and cloud dependency images in image scan While are aware of CVEs and vulnerabilities with Pixie's code, our dependency images are a blind spot in our security scanning. This change updates the trivy-image GitHub action to include the cloud and vizier dependency images so we can address those vulnerabilities in a timely manner. This change makes it possible to add the operator dependency images in the future, but for now I've omitted them (dealing with helm is a bit challenging without some additional work). Relevant Issues: N/A Type of change: /kind dependencies Test Plan: Verified the following - [x] Simulated test works ``` $ bazel build k8s/cloud:cloud_image_list $ cat bazel-bin/k8s/cloud/cloud_image_list.txt | grep -v '\/cloud' | xargs -I{} sh -c 'trivy image {}' $ bazel build k8s/vizier:vizier_image_list $ cat bazel-bin/k8s/vizier/vizier_image_list.txt | grep -v '\/vizier' | xargs -I{} sh -c 'trivy image {}' ``` - [x] GitHub action completed successfully ([link](https://github.com/pixie-io/pixie/actions/runs/16327263639)) --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml
@@ -47,14 +47,40 @@ jobs:
       # yamllint disable rule:line-length
       run: |
         mkdir -p sarif/${{ matrix.artifact }}
-        ./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif'
+        ./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image --scanners vuln {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif'
+
+        # TODO(ddelnano): Remove this check once the operator dependency images are supported.
+        # This requires rendering helm templates and requires some additional work.
+        if [ "${{ matrix.artifact }}" = "operator" ]; then
+          echo "Skipping operator image scan for now."
+          exit 0
+        fi
+
+        echo "Found non bazel images for ${{ matrix.artifact }}."
+        ./scripts/bazel_ignore_codes.sh build \
+          //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list
+
+        mkdir -p sarif/${{ matrix.artifact }}_deps
+        # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-)
+        # The deps images must have their file named processed differently to avoid conflicts with the image name. For example,
+        # ory/hydra:v1.9.2-alpine and ory/hydra:v1.9.2-sqlite must not conflict.
+        cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image --scanners vuln {} --format=sarif --output=sarif/${{ matrix.artifact }}_deps/$(basename {} | cut -d"@" -f1 | tr ":" "_").sarif'
       # yamllint enable rule:line-length
     - run: |
-        for f in "sarif/${{ matrix.artifact }}/"*; do
+        # Loop through all ${artifact} and ${artifact}_deps sarif files
+        for f in "sarif/${{ matrix.artifact }}"*/*; do
           jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp
-          mv tmp "$f"
+          # The runAutomationDetails's object must contain a unique category as required by the CodeQL SARIF uploader
+          # The id value will be interpreted like so: "${category}/${run_id}"
+          filename=$(basename "$f")/
+          jq --arg id "$filename" '.runs[].automationDetails.id = $id' < tmp > "$f"
         done
     - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
       with:
         sarif_file: sarif/${{ matrix.artifact }}
-        category: trivy-images
+    # TODO(ddelnano): Remove this check once the operator dependency images are supported.
+    # This requires rendering helm templates and requires some additional work.
+    - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
+      if: ${{ matrix.artifact != 'operator' }}
+      with:
+        sarif_file: sarif/${{ matrix.artifact }}_deps
diff --git a/k8s/cloud/BUILD.bazel b/k8s/cloud/BUILD.bazel
@@ -79,6 +79,26 @@ kustomize_build(
     ],
 )
 
+kustomize_build(
+    name = "pixie_oss_cloud",
+    srcs = glob(
+        [
+            "base/**/*.yaml",
+            "overlays/**/*.yaml",
+            "public/**/*.yaml",
+        ],
+        exclude = ["public/kustomization.yaml"],
+    ),
+    kustomization = "public/kustomization.yaml",
+    replacements = image_replacements(
+        image_map = CLOUD_IMAGE_TO_LABEL,
+    ),
+    toolchains = [
+        "//k8s:image_prefix",
+        "//k8s:bundle_version",
+    ],
+)
+
 container_bundle(
     name = "image_bundle",
     images = CLOUD_IMAGE_TO_LABEL,
@@ -102,3 +122,16 @@ container_push(
     bundle = ":image_bundle",
     format = "Docker",
 )
+
+genrule(
+    name = "cloud_image_list",
+    srcs = [
+        ":pixie_oss_cloud",
+        "//k8s/cloud_deps:public",
+    ],
+    outs = ["cloud_image_list.txt"],
+    cmd = """
+    $(location @com_github_mikefarah_yq_v4//:v4) '..|.image?|select(.|type == "!!str")' -o json $(SRCS) | sort | uniq > $@
+    """,
+    tools = ["@com_github_mikefarah_yq_v4//:v4"],
+)
diff --git a/k8s/cloud_deps/BUILD.bazel b/k8s/cloud_deps/BUILD.bazel
@@ -0,0 +1,32 @@
+# Copyright 2018- The Pixie Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+load("//bazel:kustomize.bzl", "kustomize_build")
+
+package(default_visibility = ["//visibility:public"])
+
+kustomize_build(
+    name = "public",
+    srcs = glob(
+        [
+            "base/**/*.yaml",
+            "dev/**/*.yaml",
+            "public/**/*.yaml",
+        ],
+        exclude = ["public/kustomization.yaml"],
+    ),
+    kustomization = "public/kustomization.yaml",
+)
