Skip to content

Add Chef Automate Container Scanning and Remove Trivy Integration #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brianLoomis merged 52 commits into from
Mar 27, 2026
Merged

Add Chef Automate Container Scanning and Remove Trivy Integration #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
52 commits
Select commit Hold shift + click to select a range
0c70de5
Document smart version matching logic in README
peter-at-progress Feb 26, 2026
8c9a030
starting work on container scans for automate
peter-at-progress Feb 27, 2026
9e50748
fixing the installation verification
peter-at-progress Feb 27, 2026
5dedb41
The container is building successfully, but chef-automate init-config…
peter-at-progress Feb 27, 2026
28670fb
Fix Dockerfile to point to correct automate bin path
peter-at-progress Feb 27, 2026
b9001a7
temporarily disable strict pipe error checking
peter-at-progress Feb 27, 2026
676a98b
fixing json output to analyze scan data
peter-at-progress Feb 27, 2026
34d6916
capturing prettyprinted json output of grype scan
peter-at-progress Feb 27, 2026
b3b6e5d
collect size of install on disk
peter-at-progress Feb 27, 2026
9cfb660
adding channel input for dockerfiler
peter-at-progress Mar 2, 2026
b6eda28
adding license id for automate download
peter-at-progress Mar 2, 2026
c68854e
disable trivy scans
peter-at-progress Mar 2, 2026
e6a2d8e
do not check trivy cache unless explicitly enabled
peter-at-progress Mar 2, 2026
0f83a95
capture cli build number
peter-at-progress Mar 5, 2026
ba4a8bf
fix hab_auth_token fallback
peter-at-progress Mar 5, 2026
7c1add2
separating hab vulns by dep type
peter-at-progress Mar 5, 2026
f530dc6
testing automate dev and current version compar
peter-at-progress Mar 5, 2026
9cd0d97
printing error logs
peter-at-progress Mar 16, 2026
8c7beb8
skip pre-flight automate cli version checks
peter-at-progress Mar 16, 2026
d41b75f
adding insert to db action
peter-at-progress Mar 16, 2026
4aef625
add per-CVE detail upserts alongside trend counts
peter-at-progress Mar 18, 2026
f61240b
adding skip-trend-insert input
peter-at-progress Mar 18, 2026
9f3ee60
adding skip-trend-insert input
peter-at-progress Mar 18, 2026
080de7a
adding download site value as a category
peter-at-progress Mar 18, 2026
a85ff7c
removing trivy from cvs
peter-at-progress Mar 23, 2026
f7853ef
updating initial workflows to create tags
sean-sype-simmons Feb 20, 2026
2c119d8
updating documentaiton
sean-sype-simmons Feb 20, 2026
d4a276c
adding updates to the version to include things like -beta and -rc1
sean-sype-simmons Feb 20, 2026
87d6b0b
fixing race condition
sean-sype-simmons Feb 20, 2026
a6a100b
[copyright-automator] Empty commit - placeholder to open PR for manua…
Feb 16, 2026
5ac8f17
Added manual edits of copyrights
cgunasree08 Feb 17, 2026
88aea89
Added SECURITY.md with standard template
cgunasree08 Dec 2, 2025
811cccf
Copy version bumper over from inspec/github-actions-testing
clintoncwolfe May 16, 2025
82cd627
Doc tweaks
clintoncwolfe May 16, 2025
b161b33
Use naming convention
clintoncwolfe May 16, 2025
fcc94fd
Disable Bundler for bump install - we don't need it, and no need to i…
clintoncwolfe May 16, 2025
e247e3b
Diagnose missed files in file lister
clintoncwolfe May 16, 2025
d9a371b
Simplify file listing
clintoncwolfe May 16, 2025
1de26ef
Don't include VERSION explicitly, that is an error
clintoncwolfe May 16, 2025
d5c8149
Creating CODE_OF_CONDUCT.md
nandanhegde73 Dec 2, 2025
9e551f4
Fixes in Trivy for trivy exploit
sandhi18 Mar 3, 2026
cab0f81
Merge pull request #31 from chef/sandhi/fix-timeout
sandhi18 Mar 5, 2026
177eead
commenting out trivy calls from main action
brianLoomis Mar 9, 2026
119754f
Final pipeline changes (#30)
vipin230 Mar 12, 2026
e5c194c
Fix the duplicate issue (#33)
sandhi18 Mar 12, 2026
f2d223f
Added support to install gems from private repositories. (#20)
nikhil2611 Mar 12, 2026
9d0b71a
Ruby erlang (#36)
shanmugapriya-tr Mar 17, 2026
b15ac81
Revert "Ruby erlang" (#37)
sandhi18 Mar 17, 2026
7ac98c5
Add Grype Habitat package scan workflow with build and install modes …
sandhi18 Mar 18, 2026
89f942c
Add hab path (#38)
sandhi18 Mar 20, 2026
bffd80a
Merge branch 'main' into peter-at-progress/vuln-scan
peter-at-progress Mar 23, 2026
cd931c6
Merge branch 'main' into peter-at-progress/vuln-scan
brianLoomis Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions .github/actions/automate-container-scan/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Chef Automate Container - Dockerfile for Scanning
# Based on Ubuntu 25.10 with systemd support for Chef Automate deployment
FROM ubuntu:25.10

# Build arguments for Chef Automate release channel and license
ARG CHANNEL=current
ARG LICENSE_ID

# Avoid interactive prompts during package installation
ENV DEBIAN_FRONTEND=noninteractive

# Update package list and install dependencies
# Combine RUN commands to reduce layers and improve caching
RUN apt-get update && apt-get install -y \
bash \
curl \
wget \
ca-certificates \
unzip \
systemd \
systemd-sysv \
python3 \
jq \
&& rm -rf /var/lib/apt/lists/*

# Download and install Chef Automate CLI
# Reference: https://docs.chef.io/automate/install/
# Uses chefdownload-commercial API: /{channel}/automate/download?p=linux&m=amd64&v=latest&eol=false&license_id={license}
RUN curl -L "https://chefdownload-commercial.chef.io/current/automate/download?p=linux&m=amd64&v=latest&eol=false&license_id=${LICENSE_ID}" \
-o /tmp/chef-automate.zip \
&& unzip /tmp/chef-automate.zip -d /tmp \
&& mv /tmp/chef-automate /usr/local/bin/chef-automate \
&& chmod +x /usr/local/bin/chef-automate \
&& rm /tmp/chef-automate.zip

# Install Grype vulnerability scanner
# Using official Anchore installation script
RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \
| sh -s -- -b /usr/local/bin

# Verify installations
# Note: chef-automate version requires deployment, so we just verify the binary exists
RUN test -f /usr/local/bin/chef-automate && echo "chef-automate binary present" && grype version

# Set working directory
WORKDIR /root

# Entry point must be systemd for Automate to deploy properly
# Chef Automate requires systemd to manage services (PostgreSQL, Elasticsearch, etc.)
# Container must be run with --privileged and proper cgroup mounts:
# docker run -d --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw automate:latest
ENTRYPOINT ["/lib/systemd/systemd"]

# Metadata labels
LABEL maintainer="Chef Software <info@chef.io>"
LABEL description="Chef Automate container with Grype for vulnerability scanning"
LABEL version="1.0"
Loading