[ISSUE 435] Fix vulnerability checks

.github/workflows/ci-vulnerability-scans.yml

@@ -1,8 +1,6 @@
 # GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image
 # to ensure images built are secure before they are deployed.
 
-# NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image.
-#       A future PR will pass the image between the scans to reduce overhead and increase speed
 name: CI Vulnerability Scans
 
 on:
@@ -28,6 +26,7 @@ env:
 
 jobs:
   hadolint-scan:
+    name: Hadolint Scan
     runs-on: ubuntu-latest
 
     steps:
@@ -47,25 +46,80 @@ jobs:
         run: |
           cat hadolint-results.txt >> $GITHUB_STEP_SUMMARY
 
-  trivy-scan:
+  build-and-cache:
     runs-on: ubuntu-latest
+    outputs:
+      image: ${{ steps.shared-output.outputs.image }}
 
     steps:
       - uses: actions/checkout@v3
 
-      - name: Build and tag Docker image for scanning
-        id: build-image
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@master
+
+      - name: Cache Docker layers
+        id: cache-buildx
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Ensure Buildx cache exists
+        run: |
+          mkdir -p /tmp/.buildx-cache
+
+      - name: Set shared outputs
+        id: shared-output
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
           IMAGE_NAME=$(make APP_NAME=${{env.APP_NAME}} release-image-name)
           IMAGE_TAG=$(make release-image-tag)
           echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
 
+      - name: Build and tag Docker image for scanning
+        # If there's an exact match in cache, skip build entirely
+        if: steps.cache-buildx.outputs.cache-hit != 'true'
+        run: |
+          make APP_NAME=${{ env.APP_NAME }} release-build
+
+      - name: Save Docker image
+        if: steps.cache-buildx.outputs.cache-hit != 'true'
+        run: |
+          docker save ${{ steps.shared-output.outputs.image }} > /tmp/docker-image.tar
+
+      - name: Cache Docker image
+        if: steps.cache-buildx.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v3
+        with:
+          path: /tmp/docker-image.tar
+          key: ${{ runner.os }}-docker-image-${{ github.sha }}
+
+  trivy-scan:
+    name: Trivy Scan
+    runs-on: ubuntu-latest
+    needs: build-and-cache
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Restore cached Docker image
+        uses: actions/cache/restore@v3
+        with:
+          path: /tmp/docker-image.tar
+          key: ${{ runner.os }}-docker-image-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-docker-image-
+
+      - name: Load cached Docker image
+        run: |
+          docker load < /tmp/docker-image.tar
+
       - name: Run Trivy vulnerability scan
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: image
-          image-ref: ${{ steps.build-image.outputs.image }}
+          image-ref: ${{ needs.build-and-cache.outputs.image }}
           format: table
           exit-code: 1
           ignore-unfixed: true
@@ -78,23 +132,29 @@ jobs:
           echo "View results in GitHub Action logs" >> $GITHUB_STEP_SUMMARY
 
   anchore-scan:
+    name: Anchore Scan
     runs-on: ubuntu-latest
+    needs: build-and-cache
 
     steps:
       - uses: actions/checkout@v3
 
-      - name: Build and tag Docker image for scanning
-        id: build-image
+      - name: Restore cached Docker image
+        uses: actions/cache/restore@v3
+        with:
+          path: /tmp/docker-image.tar
+          key: ${{ runner.os }}-docker-image-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-docker-image-
+
+      - name: Load cached Docker image
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
-          IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name)
-          IMAGE_TAG=$(make release-image-tag)
-          echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
+          docker load < /tmp/docker-image.tar
 
       - name: Run Anchore vulnerability scan
         uses: anchore/scan-action@v3
         with:
-          image: ${{ steps.build-image.outputs.image }}
+          image: ${{ needs.build-and-cache.outputs.image }}
           output-format: table
 
       - name: Save output to workflow summary
@@ -103,18 +163,24 @@ jobs:
           echo "View results in GitHub Action logs" >> $GITHUB_STEP_SUMMARY
 
   dockle-scan:
+    name: Dockle Scan
     runs-on: ubuntu-latest
+    needs: build-and-cache
 
     steps:
       - uses: actions/checkout@v3
 
-      - name: Build and tag Docker image for scanning
-        id: build-image
+      - name: Restore cached Docker image
+        uses: actions/cache/restore@v3
+        with:
+          path: /tmp/docker-image.tar
+          key: ${{ runner.os }}-docker-image-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-docker-image-
+
+      - name: Load cached Docker image
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
-          IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name)
-          IMAGE_TAG=$(make release-image-tag)
-          echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
+          docker load < /tmp/docker-image.tar
 
       # Dockle doesn't allow you to have an ignore file for the DOCKLE_ACCEPT_FILES
       # variable, this will save the variable in this file to env for Dockle
@@ -127,7 +193,7 @@ jobs:
       - name: Run Dockle container linter
         uses: erzz/[email protected]
         with:
-          image: ${{ steps.build-image.outputs.image }}
+          image: ${{ needs.build-and-cache.outputs.image }}
           exit-code: "1"
           failure-threshold: WARN
           accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }}

Makefile

@@ -155,7 +155,7 @@ INFO_TAG := $(DATE).$(USER)
 release-build: ## Build release for $APP_NAME and tag it with current git hash
 	@:$(call check_defined, APP_NAME, the name of subdirectory of /infra that holds the application's infrastructure code)
 	cd $(APP_NAME) && $(MAKE) release-build \
-		OPTS="--tag $(IMAGE_NAME):latest --tag $(IMAGE_NAME):$(IMAGE_TAG)"
+		OPTS="--tag $(IMAGE_NAME):latest --tag $(IMAGE_NAME):$(IMAGE_TAG) --load -t $(IMAGE_NAME):$(IMAGE_TAG)"
 
 release-publish: ## Publish release to $APP_NAME's build repository
 	@:$(call check_defined, APP_NAME, the name of subdirectory of /infra that holds the application's infrastructure code)

frontend/Makefile

@@ -28,6 +28,8 @@ export RUN_UID
 release-build:
 	docker buildx build \
 	  --target release \
+		--cache-from=type=local,src=/tmp/.buildx-cache \
+		--cache-to=type=local,dest=/tmp/.buildx-cache \
 		--platform=linux/amd64 \
 		--build-arg RUN_USER=$(RUN_USER) \
 		--build-arg RUN_UID=$(RUN_UID) \