Skip to content

Commit 2be2128

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #3382 from sonasingh46/security_scan
add trivy image scan actions
2 parents 6c58f64 + 28a3265 commit 2be2128

File tree

3 files changed

+108
-1
lines changed

3 files changed

+108
-1
lines changed

.github/workflows/scan.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
name: scan-images
2+
3+
on:
4+
schedule:
5+
- cron: "0 12 * * 1"
6+
7+
# Remove all permissions from GITHUB_TOKEN except metadata.
8+
permissions: {}
9+
10+
jobs:
11+
scan:
12+
name: Trivy
13+
runs-on: ubuntu-latest
14+
steps:
15+
- name: Check out code
16+
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
17+
- name: Setup go
18+
uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # tag=v3.4.0
19+
with:
20+
go-version: 1.19
21+
- name: Run verify container script
22+
run: make verify-container-images

Makefile

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -213,9 +213,13 @@ clean-temporary: ## Remove all temporary files and folders.
213213
rm -f *.kubeconfig
214214

215215
.PHONY: clean-release
216-
clean-release: ## Remove the release folder.
216+
clean-release: clean-release-git ## Remove the release folder.
217217
rm -rf $(RELEASE_DIR)
218218

219+
.PHONY: clean-release-git
220+
clean-release-git: ## Restores the git files usually modified during a release
221+
git restore ./*manager_image_patch.yaml ./*manager_pull_policy.yaml
222+
219223
APIDIFF_OLD_COMMIT ?= $(shell git rev-parse origin/main)
220224

221225
.PHONY: apidiff
@@ -704,6 +708,14 @@ ifneq ($(WIN_REPO_URL), )
704708
endif
705709
$(MAKE) test-conformance CONFORMANCE_E2E_ARGS="-kubetest.config-file=$(KUBETEST_WINDOWS_CONF_PATH) -kubetest.repo-list-path=$(KUBETEST_REPO_LIST_PATH) $(E2E_ARGS)"
706710

711+
## --------------------------------------
712+
## Security Scanning
713+
## --------------------------------------
714+
715+
.PHONY: verify-container-images
716+
verify-container-images: ## Verify container images
717+
./hack/verify-container-images.sh
718+
707719
## --------------------------------------
708720
## Tilt / Kind
709721
## --------------------------------------

hack/verify-container-images.sh

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
#!/bin/bash
2+
3+
# Copyright 2023 The Kubernetes Authors.
4+
#
5+
# Licensed under the Apache License, Version 2.0 (the "License");
6+
# you may not use this file except in compliance with the License.
7+
# You may obtain a copy of the License at
8+
#
9+
# http://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# Unless required by applicable law or agreed to in writing, software
12+
# distributed under the License is distributed on an "AS IS" BASIS,
13+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
# See the License for the specific language governing permissions and
15+
# limitations under the License.
16+
17+
set -o errexit
18+
set -o nounset
19+
set -o pipefail
20+
21+
if [[ "${TRACE-0}" == "1" ]]; then
22+
set -o xtrace
23+
fi
24+
25+
TRIVY_VERSION=0.34.0
26+
27+
GO_OS="$(go env GOOS)"
28+
if [[ "${GO_OS}" == "linux" ]]; then
29+
TRIVY_OS="Linux"
30+
elif [[ "${GO_OS}" == "darwin"* ]]; then
31+
TRIVY_OS="macOS"
32+
fi
33+
34+
GO_ARCH="$(go env GOARCH)"
35+
if [[ "${GO_ARCH}" == "amd" ]]; then
36+
TRIVY_ARCH="32bit"
37+
elif [[ "${GO_ARCH}" == "amd64"* ]]; then
38+
TRIVY_ARCH="64bit"
39+
elif [[ "${GO_ARCH}" == "arm" ]]; then
40+
TRIVY_ARCH="ARM"
41+
elif [[ "${GO_ARCH}" == "arm64" ]]; then
42+
TRIVY_ARCH="ARM64"
43+
fi
44+
45+
TOOL_BIN=hack/tools/bin
46+
mkdir -p ${TOOL_BIN}
47+
48+
# Downloads trivy scanner
49+
curl -L -o ${TOOL_BIN}/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz"
50+
51+
tar -xf "${TOOL_BIN}/trivy.tar.gz" -C "${TOOL_BIN}" trivy
52+
chmod +x ${TOOL_BIN}/trivy
53+
rm ${TOOL_BIN}/trivy.tar.gz
54+
55+
# Builds all the container images to be scanned and cleans up changes to ./*manager_image_patch.yaml ./*manager_pull_policy.yaml.
56+
make REGISTRY=gcr.io/k8s-staging-cluster-api-azure PULL_POLICY=IfNotPresent TAG=dev docker-build
57+
make clean-release-git
58+
59+
# Scan the images
60+
${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api-azure/cluster-api-azure-controller-"${GO_ARCH}":dev && R1=$? || R1=$?
61+
62+
echo ""
63+
BRed='\033[1;31m'
64+
BGreen='\033[1;32m'
65+
NC='\033[0m' # No
66+
67+
if [ "$R1" -ne "0" ]
68+
then
69+
echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}"
70+
exit 1
71+
fi
72+
73+
echo -e "${BGreen}Check container images passed! No vulnerability found${NC}"

0 commit comments

Comments
 (0)