diff --git a/.github/actions/trivy-scan/action.yml b/.github/actions/trivy-scan/action.yml index e3c2404748..5eca1266b0 100644 --- a/.github/actions/trivy-scan/action.yml +++ b/.github/actions/trivy-scan/action.yml @@ -87,7 +87,7 @@ runs: uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: - name: trivy-scan-report-${{ inputs.image-name }} + name: trivy-scan-report-${{ inputs.image-name }}-${{ inputs.image-tag }} path: trivy-report.json retention-days: ${{ inputs.artifact-retention-days }} diff --git a/.github/workflows/api-container-build-push.yml b/.github/workflows/api-container-build-push.yml index bb15b23303..102fb1a114 100644 --- a/.github/workflows/api-container-build-push.yml +++ b/.github/workflows/api-container-build-push.yml @@ -7,7 +7,7 @@ on: paths: - 'api/**' - 'prowler/**' - - '.github/workflows/api-build-lint-push-containers.yml' + - '.github/workflows/api-container-build-push.yml' release: types: - 'published' diff --git a/.github/workflows/api-container-checks.yml b/.github/workflows/api-container-checks.yml index d069b0d5a6..58e0189825 100644 --- a/.github/workflows/api-container-checks.yml +++ b/.github/workflows/api-container-checks.yml @@ -43,7 +43,16 @@ jobs: ignore: DL3013 api-container-build-and-scan: - runs-on: ubuntu-latest + runs-on: ${{ matrix.runner }} + strategy: + matrix: + include: + - platform: linux/amd64 + runner: ubuntu-latest + arch: amd64 + - platform: linux/arm64 + runner: ubuntu-24.04-arm + arch: arm64 timeout-minutes: 30 permissions: contents: read @@ -68,22 +77,23 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Build container + - name: Build container for ${{ matrix.arch }} if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: ${{ env.API_WORKING_DIR }} push: false load: true - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} - cache-from: type=gha - cache-to: type=gha,mode=max + platforms: ${{ matrix.platform }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} + cache-from: type=gha,scope=${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=${{ matrix.arch }} - - name: Scan container with Trivy + - name: Scan container with Trivy for ${{ matrix.arch }} if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }} + image-tag: ${{ github.sha }}-${{ matrix.arch }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/mcp-container-checks.yml b/.github/workflows/mcp-container-checks.yml index 3310cd8c5a..d4f377f8fe 100644 --- a/.github/workflows/mcp-container-checks.yml +++ b/.github/workflows/mcp-container-checks.yml @@ -42,7 +42,16 @@ jobs: dockerfile: mcp_server/Dockerfile mcp-container-build-and-scan: - runs-on: ubuntu-latest + runs-on: ${{ matrix.runner }} + strategy: + matrix: + include: + - platform: linux/amd64 + runner: ubuntu-latest + arch: amd64 + - platform: linux/arm64 + runner: ubuntu-24.04-arm + arch: arm64 timeout-minutes: 30 permissions: contents: read @@ -66,22 +75,23 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Build MCP container + - name: Build MCP container for ${{ matrix.arch }} if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: ${{ env.MCP_WORKING_DIR }} push: false load: true - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} - cache-from: type=gha - cache-to: type=gha,mode=max + platforms: ${{ matrix.platform }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} + cache-from: type=gha,scope=${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=${{ matrix.arch }} - - name: Scan MCP container with Trivy + - name: Scan MCP container with Trivy for ${{ matrix.arch }} if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }} + image-tag: ${{ github.sha }}-${{ matrix.arch }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/sdk-container-checks.yml b/.github/workflows/sdk-container-checks.yml index 4e8a7cf2ad..af48cc63dc 100644 --- a/.github/workflows/sdk-container-checks.yml +++ b/.github/workflows/sdk-container-checks.yml @@ -44,7 +44,16 @@ jobs: sdk-container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' - runs-on: ubuntu-latest + runs-on: ${{ matrix.runner }} + strategy: + matrix: + include: + - platform: linux/amd64 + runner: ubuntu-latest + arch: amd64 + - platform: linux/arm64 + runner: ubuntu-24.04-arm + arch: arm64 timeout-minutes: 30 permissions: contents: read @@ -82,22 +91,23 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Build SDK container + - name: Build SDK container for ${{ matrix.arch }} if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . push: false load: true - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} - cache-from: type=gha - cache-to: type=gha,mode=max + platforms: ${{ matrix.platform }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} + cache-from: type=gha,scope=${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=${{ matrix.arch }} - - name: Scan SDK container with Trivy - if: steps.check-changes.outputs.any_changed == 'true' + - name: Scan SDK container with Trivy for ${{ matrix.arch }} + if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }} + image-tag: ${{ github.sha }}-${{ matrix.arch }} fail-on-critical: 'false' severity: 'CRITICAL' diff --git a/.github/workflows/ui-container-checks.yml b/.github/workflows/ui-container-checks.yml index e436c3974a..e9dd3a192f 100644 --- a/.github/workflows/ui-container-checks.yml +++ b/.github/workflows/ui-container-checks.yml @@ -43,7 +43,16 @@ jobs: ignore: DL3018 ui-container-build-and-scan: - runs-on: ubuntu-latest + runs-on: ${{ matrix.runner }} + strategy: + matrix: + include: + - platform: linux/amd64 + runner: ubuntu-latest + arch: amd64 + - platform: linux/arm64 + runner: ubuntu-24.04-arm + arch: arm64 timeout-minutes: 30 permissions: contents: read @@ -67,7 +76,7 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Build UI container + - name: Build UI container for ${{ matrix.arch }} if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: @@ -75,17 +84,18 @@ jobs: target: prod push: false load: true - tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} - cache-from: type=gha - cache-to: type=gha,mode=max + platforms: ${{ matrix.platform }} + tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }} + cache-from: type=gha,scope=${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=${{ matrix.arch }} build-args: | NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX - - name: Scan UI container with Trivy + - name: Scan UI container with Trivy for ${{ matrix.arch }} if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} - image-tag: ${{ github.sha }} + image-tag: ${{ github.sha }}-${{ matrix.arch }} fail-on-critical: 'false' severity: 'CRITICAL'