-
Notifications
You must be signed in to change notification settings - Fork 496
86 lines (83 loc) · 3.86 KB
/
trivy_images.yaml
File metadata and controls
86 lines (83 loc) · 3.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
---
name: trivy-images
on:
push:
branches:
- main
schedule:
- cron: "37 19 * * *"
permissions:
contents: read
jobs:
get-dev-image:
uses: ./.github/workflows/get_image.yaml
with:
image-base-name: "dev_image_with_extras"
image-scan:
strategy:
fail-fast: false
matrix:
artifact: [cloud, operator, vizier]
runs-on: oracle-8cpu-32gb-x86-64
needs: get-dev-image
container:
image: ${{ needs.get-dev-image.outputs.image-with-tag }}
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Add pwd to git safe dir
run: git config --global --add safe.directory `pwd`
- name: Use github bazel config
uses: ./.github/actions/bazelrc
with:
download_toplevel: 'true'
BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
- name: Build images
run: |
./scripts/bazel_ignore_codes.sh build \
--//k8s:image_version=nightly --config=x86_64_sysroot \
//k8s/${{ matrix.artifact }}:image_bundle.tar //k8s/${{ matrix.artifact }}:list_image_bundle
- name: Load Images
run: |
docker load -i bazel-bin/k8s/${{ matrix.artifact }}/image_bundle.tar
- name: Scan Images
# yamllint disable rule:line-length
run: |
mkdir -p sarif/${{ matrix.artifact }}
./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image --scanners vuln {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif'
# TODO(ddelnano): Remove this check once the operator dependency images are supported.
# This requires rendering helm templates and requires some additional work.
if [ "${{ matrix.artifact }}" = "operator" ]; then
echo "Skipping operator image scan for now."
exit 0
fi
echo "Found non bazel images for ${{ matrix.artifact }}."
./scripts/bazel_ignore_codes.sh build \
//k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list
mkdir -p sarif/${{ matrix.artifact }}_deps
# Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-)
# The deps images must have their file named processed differently to avoid conflicts with the image name. For example,
# ory/hydra:v1.9.2-alpine and ory/hydra:v1.9.2-sqlite must not conflict.
cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image --scanners vuln {} --format=sarif --output=sarif/${{ matrix.artifact }}_deps/$(basename {} | cut -d"@" -f1 | tr ":" "_").sarif'
# yamllint enable rule:line-length
- run: |
# Loop through all ${artifact} and ${artifact}_deps sarif files
for f in "sarif/${{ matrix.artifact }}"*/*; do
jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp
# The runAutomationDetails's object must contain a unique category as required by the CodeQL SARIF uploader
# The id value will be interpreted like so: "${category}/${run_id}"
filename=$(basename "$f")/
jq --arg id "$filename" '.runs[].automationDetails.id = $id' < tmp > "$f"
done
- uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
with:
sarif_file: sarif/${{ matrix.artifact }}
# TODO(ddelnano): Remove this check once the operator dependency images are supported.
# This requires rendering helm templates and requires some additional work.
- uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
if: ${{ matrix.artifact != 'operator' }}
with:
sarif_file: sarif/${{ matrix.artifact }}_deps