Merge pull request #4473 from RADAR-base/ci/operator-updates-snyk-scan

ci/operator-updates-snyk-scan

Author: pvannierop

.github/bin/external_docker_image_matrix

@@ -31,12 +31,21 @@ cleanup
 for chart in $INCLUDE_CHARTS
 do
   echo Analyzing chart $chart ...
-  helm template ../$chart 2> /dev/null | grep -oP "(?<=image: ).*" | tr -d \" >> $location.tmp
+  helm template ../$chart 2> /dev/null | grep -oP "(?<=image: ).*" | tr -d \" >> images.tmp
+done
+
+echo
+
+# Add the images that derived by the INCLUDE_IMAGES environment variable.
+for image in $INCLUDE_IMAGES
+do
+  echo Adding hard coded image $image ...
+  echo $image >> images.tmp
 done
 
 # Add a docker.io prefix to images without a registry.
-cat charts.tmp | grep ".*\/.*\/.*" > images.tmp2
-cat charts.tmp | grep -v ".*\/.*\/.*" | sed "s/^/docker.io\//g" > images.tmp3
+cat images.tmp | grep ".*/.*/.*" > images.tmp2
+cat images.tmp | grep -v ".*/.*/.*" | sed "s/^/docker.io\//g" > images.tmp3
 cat images.tmp2 images.tmp3 | sort | uniq > images.txt
 
 # Exclude images refs that match any of the patterns passed in with the EXCLUDE_IMAGE_PATTERNS environment variable.

.github/workflows/scheduled-snyk-docker.yaml

@@ -34,23 +34,22 @@ jobs:
           # - busybox: init container
           # - alpine: init container
           # - linuxserver/yq: init container
-          EXCLUDE_IMAGE_PATTERNS:  bats busybox docker.io/alpine linuxserver/yq
+          EXCLUDE_IMAGE_PATTERNS:  bats
+            busybox
+            docker.io/alpine
+            linuxserver/yq
           # In this action we only scan 'external' dependencies of the RADAR-base deployment.
           # RADAR-base services are scanned in the respective GitHub repositories.
-          # Note on missing charts:
+          # Notes on charts:
           # - elasticsearch:
           #   FIXME: the elasticsearch image gives sarif related errors, so it is excluded for now.
           #        we need a better way to handle this.
           INCLUDE_CHARTS: charts/cc-schema-registry-proxy
             charts/cert-manager-lets-encrypt
             charts/kube-prometheus-stack
-            charts/radar-cloudnative-postgresql
-            charts/radar-cloudnative-timescaledb
             charts/radar-grafana
             charts/radar-hydra
             charts/radar-kratos
-            charts/radar-postgresql
-            charts/radar-timescaledb
             charts/radar-s3-proxy
             charts/velero-s3-deployment
             external/cloudnativepg-operator
@@ -61,6 +60,18 @@ jobs:
             external/mongodb
             external/nifi
             external/redis
+            external/strimzi-kafka-operator
+            external/strimzi-registry-operator
+          # Any image that matches any of these patterns will be included for scanning.
+          # Reasons:
+          # - ghcr.io/cloudnative-pg/postgresql:16: deployed via operator so image tag not specifies in the chart in this repo.
+          # - timescale/timescaledb-ha:pg16-ts2.15: deployed via operator so image tag not specified in the chart in this repo.
+          # - quay.io/strimzi/kafka:0.46.0-kafka-3.9.0: deployed via operator so image tag not specified in the chart in this repo.
+          # - confluentinc/cp-schema-registry:7.2.1: deployed via operator so image tag not specified in the chart in this repo.
+          INCLUDE_IMAGES: ghcr.io/cloudnative-pg/postgresql:16
+            timescale/timescaledb-ha:pg16-ts2.15
+            quay.io/strimzi/kafka:0.46.0-kafka-3.9.0
+            confluentinc/cp-schema-registry:7.2.1
         run: .github/bin/external_docker_image_matrix
 
       - name: Commit and push if docker-images-matrix.json changed

README.md

@@ -139,7 +139,9 @@ parent chart being available in the Helm repository.
    examples.
 2. Add helm chart as a new `update-<chart-name>` section in the `Makefile`.
 3. Register the new chart in the `.github/workflows/scheduled-snyk-docker.yaml` for vulnerability scanning by adding the
-   chart name to the `INCLUDE_CHARTS` environmental variable in the _set-matrix_ step.
+   chart name to the `INCLUDE_CHARTS` environmental variable in the _set-matrix_ step. When the docker image is not directly
+   listed in the _deployment.yaml_ file (i.e., when the image is deployed via an Operator), add the image name to the
+   `INCLUDE_IMAGES` environmental variable.
 
 #### Updating external charts