Skip to content
shield

GitHub Action

Log4shell Container Patch

v0.2 Pre-release

Log4shell Container Patch

shield

Log4shell Container Patch

Scan and patch against Log4shell, then publish a container image - no rebuild

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Log4shell Container Patch

              
  uses: mgreau/[email protected]
Learn more about this action in mgreau/log4shell-cpatch

Choose a version

GitHub Action to Patch a container image against Log4Shell

Build

Tool to scan and patch a container image impacted by Log4Shell (CVE-2021-44228.

WARNING: it is recommended to upgrade your container to the latest log4j versions

Example usage

name: Log4shell - Patch and Publish a container image

on:
  push:
    branches: ['main']

jobs:
  publish:
    name: Log4shell - Patch and Publish a container image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: engineerd/[email protected]
        with:
          version: "v0.11.1"
      - name: Install Tekton Pipelines
        run: kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.24.1/release.yaml
      - uses: jerop/[email protected]

      - name: Patch vulnerable image
        uses: mgreau/[email protected]
        with:
          image: mlinarik/log4j-log4shell-vulnerable-app:latest

That's it! The process scans the content of the container image, patches any vulnerable JAR files, updates the container image and pushes it to https://ttl.sh. No "docker build" involved, thanks to crane.

It uses the following components:

  • log4jscanner from Google a log4j vulnerability filesystem scanner that can remove the vulnerable class from detected JARs in-place
  • crane from Google, a tool for managing container images.
  • https:/ttl.sh to publish the patched image
  • Tekton CD to execute the workflows through this GH Action or any Kubernetes cluster tekton-compatible.

The Tekton way

The following example shows how to do a quick test locally without the GH Action:

Note: Tekon Pipelines and CLI need to be installed locally

$ kubectl apply -f tekton/log4shell-cpatch.yaml
$ tkn pipeline start log4shell-cpatch \
	--param image=mgreau/log4shell-cpatch-demo:1.0 \
	--workspace name=storage,volumeClaimTemplateFile=tekton/pvc.yaml --showlog

The logs provides the tag from https://ttl.sh where the patched image is pushed, for example:

[patch-image : patch-and-push-image] ttl.sh/20220107045528:1h

Quick test using a non-vulnerale image

The default image is set to alpine and shows the result when an image is not impacted by Log4shell.

$ kubectl apply -f tekton/log4shell-cpatch.yaml
$ tkn pipeline start log4shell-cpatch --workspace name=storage,volumeClaimTemplateFile=tekton/pvc.yaml --showlog --use-param-defaults

Publish to gchr

There is another yaml file to push the patched image to ghcr.io. This is not used by the GitHub action for now.

$ echo -n ${GH_TOKEN} > ./token
$ kubectl create secret generic ghcr --from-file=./token
$ rm -f ./token
$ kubectl apply -f tekton/log4shell-cpatch-runs.yaml
$ tkn pr logs -f log4shell-cpatch