Continuously patch GHCR images with Copacetic

Keep your GHCR-hosted images secure and updated with an effortless GitHub workflow. Follow along to see how!

⚙️ How It Works:
Here’s the gist of what we’re building:

• ✅ Query: Fetch all your images from GHCR.
• 🔍 Scan: Use Trivy to spot vulnerabilities.
• 🔧 Patch: Apply fixes with Copacetic and update the images on GHCR.

Gathering Images with Glue Code

To patch all your images, we first need to know what’s in your GHCR. Both Trivy and Copacetic have GitHub Actions, making automation a breeze—we can loop through every image in a workflow.

🧐 The Challenge:

Dynamically generating the list of images and tags.

💡 The Solution:

A bit of Go "glue code" that hits GitHub’s REST API, grabs all your images and tags under your username, and outputs them to a matrix.json file. This file feeds into the workflow via the fromJson function, driving the patching process.

🔄 Continuous Patching Workflow

This is where the magic happens—a GitHub workflow that ties everything together. It starts by generating the image list, then loops through each one to scan, patch, and update it on GHCR.

The workflow splits into two jobs:

• 1️⃣ Setup: Prepares the list of images.
• 2️⃣ Patch: Runs the scanning, patching, and updating.

1️⃣ The Setup Job

The setup job kicks things off by creating the matrix of images to patch:

setup: runs-on: ubuntu-latest permissions: packages: read outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - name: Checkout to repository uses: actions/checkout@v3 - name: Generate image list run: ./listImages - name: Set matrix data id: set-matrix run: echo "matrix=$(jq -c . < ./matrix.json)" >> $GITHUB_OUTPUT 

🔹 What's Happening Here?

• ✔️ Checks out your repo to access necessary files.
• ✔️ Runs listImages, a Go program that builds matrix.json.
• ✔️ Stores the matrix in a GITHUB_OUTPUT variable for the next job.

2️⃣ The Patch Job

The patch job takes the matrix and runs the full patching cycle for each image:

patch: runs-on: ubuntu-latest permissions: packages: read contents: write needs: setup strategy: fail-fast: false matrix: images: ${{ fromJson(needs.setup.outputs.matrix) }} 

🔹 Key Features

• ✔️ Depends on setup (via needs: setup).
• ✔️ Prevents failure from stopping all patches (fail-fast: false).
• ✔️ Loads image list from matrix.json using fromJson().

🔍 Patch Step 1: Scan with Trivy

- name: Generate Trivy Report uses: aquasecurity/trivy-action@0.29.0 with: scan-type: "image" format: "json" output: "report.json" ignore-unfixed: true vuln-type: "os" image-ref: ${{ env.REGISTRY}}/${{ matrix.images }} 

• ✅ Scans the image for OS vulnerabilities and outputs a report.json file.

📊 Patch Step 2: Count Vulnerabilities

- name: Check vulnerability count id: vuln_count run: | report_file="report.json" vuln_count=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' "$report_file") echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT 

• ✅ Extracts the number of fixable vulnerabilities and saves the count as vuln_count.

🏷️ Patch Step 3: Create Patch Tag

- name: Create patch tag id: patch_tag run: | imageName=$(echo ${{ matrix.images }} | cut -d ':' -f1) current_tag=$(echo ${{ matrix.images }} | cut -d ':' -f2) if [[ $current_tag == *-[0-9] ]]; then numeric_tag=$(echo "$current_tag" | awk -F'-' '{print $NF}') non_numeric_tag=$(echo "$current_tag" | sed "s#-$numeric_tag##g") incremented_tag=$((numeric_tag+1)) new_tag="$non_numeric_tag-$incremented_tag" else new_tag="$current_tag-1" fi echo "tag=$new_tag" >> $GITHUB_OUTPUT echo "imageName=$imageName" >> $GITHUB_OUTPUT 

• ✅ Generates a new patch tag (e.g., app:0.1.0 → app:0.1.0-1 → app:0.1.0-2) using the static incremental tagging strategy.

🔧 Patch Step 4: Patch with Copacetic

- name: Run copa action if: steps.vuln_count.outputs.vuln_count != '0' id: copa uses: project-copacetic/copa-action@v1.2.1 with: image: ${{ env.REGISTRY}}/${{ matrix.images }} image-report: "report.json" patched-tag: ${{ steps.patch_tag.outputs.tag }} 

• ✅ Applies patches only if vulnerabilities exist.

📤 Patch Step 5: Push to GHCR

- name: Login to GHCR if: steps.copa.conclusion == 'success' id: login uses: docker/login-action@3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GHCR_TOKEN }} - name: Push patched image if: steps.login.conclusion == 'success' run: | docker push ${{ steps.copa.outputs.patched-image }} 

• ✅ Authenticates with GHCR and pushes the patched image if patching was successful.

Ready to try it?

Check the repo's README to set up your own continuous patching workflow! 🎉

Note: This solution only works for public registries, like GHCR. To use copa to patch locally, see Option 2 in the Copa docs. And for private see Option 1.