feat: add experimental dry copacetic

.github/workflows/experimental-patch-dry.yml

@@ -0,0 +1,45 @@
+name: "Experimental patch di Copacetic"
+
+on:
+  push:
+    #branches:
+    #  - "main"
+  #schedule:
+  #  - cron: "0 2 * * *"
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to SIGHUP new Registry
+        uses: docker/login-action@v1
+        with:
+          registry: registry.sighup.io
+          username: ${{ secrets.SIGHUP_REGISTRY_USERNAME }}
+          password: ${{ secrets.SIGHUP_REGISTRY_PASSWORD }}
+      - name: Install trivy and copa
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy
+          trivy --version
+
+
+          wget https://github.com/project-copacetic/copacetic/releases/download/v0.7.0/copa_0.7.0_linux_amd64.tar.gz
+          tar -xzvf copa_0.7.0_linux_amd64.tar.gz
+          chmod +x copa
+          sudo mv copa /usr/local/bin/
+          copa --version
+
+      - name: Execute patch script
+        run: |
+          ./patch_images_with_copacetic.sh
+

.gitignore

@@ -3,3 +3,5 @@ login
 built.yaml
 scan.tmp
 scan_results.txt
+to_be_patched.txt
+*.json

patch_images_with_copacetic.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+if command -v gsed >/dev/null 2>&1; then
+    SED_COMMAND='gsed'
+else
+    SED_COMMAND="sed"
+fi
+
+find CVEs -name "images.txt" -exec cat {} + > to_be_patched.txt
+
+#$SED_COMMAND -i 's|registry.sighup.io/fury/|registry.sighup.io/fury/secured/|g' to_be_patched.txt
+
+file="to_be_patched.txt"
+
+docker run --detach --rm --privileged -p 127.0.0.1:8888:8888/tcp --name buildkitd --entrypoint buildkitd moby/buildkit:v0.11.4 --addr tcp://0.0.0.0:8888 # --platform linux/amd64
+
+while IFS= read -r line; do
+    secured=$(echo "$line" | sed 's|registry.sighup.io/fury|registry.sighup.io/fury/secured|')
+    docker pull $line # --platform linux/amd64
+    trivy image -q --vuln-type os --ignore-unfixed -f json -o $(basename $line).json $line # --platform=linux/amd64
+    if copa patch -r $(basename $line).json -i $line -a tcp://0.0.0.0:8888 ; then
+        echo "############## SUCCESS, will execute:"
+        echo "----> docker tag $line-patched $secured"
+        echo "----> docker push $secured"
+    else
+        echo "%%%%%%%%%%%%%% COPA FAILED, will execute:"
+        echo "----> docker tag $line $secured"
+        echo "----> docker push $secured"
+    fi
+
+done < "$file"
+
+docker stop buildkitd
+docker rm buildkitd