#+TITLE: Securing supply chain
#+DATE: <2024-08-28 Wed>
#+AUTHOR: James Blair


Red Hat Advanced Cluster Security can be easily integrated into an existing GitHub actions pipeline through the existing Stackrox suite of [[https://github.com/marketplace?query=stackrox][open source actions]]. The ~roxctl~ cli can be used to scan images for vulnerabilities or common misconfigurations.

* Configure rhacs github oidc auth

Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides the ability to configure short-lived access to the user interface and API calls.

You can configure this by exchanging OpenID Connect (OIDC) identity tokens for a RHACS-issued token.

We recommend this especially for Continuous Integration (CI) usage, where short-lived access is preferable over long-lived API tokens.

Refer: https://docs.openshift.com/acs/4.5/operating/manage-user-access/configure-short-lived-access.html


* Create github actions pipeline

An example pipeline is included below and in this repository.

#+begin_src yaml
---
name: Secure image build
on: workflow_dispatch
permissions:
  contents: read

jobs:

  build-and-push-image:
    name: Build and push image
    runs-on: ubuntu-latest
    steps:

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build image
        uses: redhat-actions/buildah-build@v2
        with:
          image: quay.io/rh_ee_jablair/ubi9
          tags: v0.0.1-${{ github.sha }}
          containerfiles: |
            ./2024-08-28-rhacs-actions-pipeline/Containerfile

      - name: Push to quay.io
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ubi9
          tags: v0.0.1-${{ github.sha }}
          registry: quay.io/rh_ee_jablair
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_PASSWORD }}


  scan-image:
    runs-on: ubuntu-latest
    needs: build-and-push-image
    permissions:
      id-token: write
    steps:

      - name: Rhacs login
        uses: stackrox/central-login@v1
        with:
          endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
          skip-tls-verify: true

      - name: Install roxctl
        uses: stackrox/roxctl-installer-action@v1
        with:
          central-endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
          central-token: ${{ secrets.ROX_API_TOKEN }}
          skip-tls-verify: true

      - name: Scan image with roxctl
        shell: bash
        run: |
          roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
          roxctl image check --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify
#+end_src