Add weekly govulncheck workflow #2897
Conversation
k8s-ci-robot
added
the
release-note-none
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/M
.github/workflows/security-scan.yaml
Outdated
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check out code | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 |
There was a problem hiding this comment.
why don't use the tag?
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2 | |
| uses: actions/[email protected] |
There was a problem hiding this comment.
Higher level of paranoia I guess 😅
I copied from CAPI and Metal3, where we use hashes since they are guaranteed to never change. The tag on the other hand can be overwritten.
Signed-off-by: Lennart Jern <[email protected]>
lentzi90
force-pushed
the
lentzi90/govulncheck
branch
from
0091d9c to
762b679
Compare
|
Thanks for the comments, I have updated and addressed them 🙂 |
What this PR does / why we need it:
This adds a github workflow for weekly security scanning using govulncheck. It was inspired by what CAPI has but adapted quite heavily and limited to govulncheck for now. (CAPI also runs Trivy to scan the images.)
I have been doing the same in CAPO and ORC with the goal of having better insights into when new patch releases would be needed to fix vulnerabilities (and of course when dependencies need to be updated).
Which issue this PR fixes(if applicable):
fixes #
Special notes for reviewers:
Release note: