Skip to content
Scheduled master branch scan security vulnerabilities

releaese v0.26.1 #714

Sign in to view logs

releaese v0.26.1

releaese v0.26.1 #714

Workflow file for this run

.github/workflows/trivy_scheduled_master.yml at a884acd
name: Scheduled master branch scan security vulnerabilities
on:
pull_request:
branches:
- "master"
paths-ignore:
- "docs/**"
- "README.md"
- "CHANGELOG.md"
- "PROJECT"
- "LICENSE"
- "mesh-worker-service/README.md"
- "tools/README.md"
schedule:
- cron: "0 0 * * *"
permissions:
pull-requests: write
issues: write
# For Trivy uploads to Github Security tab
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
jobs:
build:
name: Scan
permissions:
pull-requests: write
issues: write
security-events: write
actions: read
contents: read
runs-on: ubuntu-latest
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/[email protected]
with:
# this might remove tools that are actually needed,
# if set to "true" but frees about 6 GB
tool-cache: false
# all of these default to true, but feel free to set to
# "false" if necessary for your workflow
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
# the runner machine has a disk /dev/sdb1 which mounted to /mnt, and it has more free disk than /dev/sda1.
# we can use it to save docker's data to avoid bookie error due to lack of disk.
- name: change docker data dir
run: |
sudo service docker stop
echo '{ "exec-opts": ["native.cgroupdriver=cgroupfs"], "cgroup-parent": "/actions_job", "data-root": "/mnt/docker" }' | sudo tee /etc/docker/daemon.json
sudo service docker start
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
repository: ${{github.event.pull_request.head.repo.full_name}}
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up GO 1.24.11
uses: actions/setup-go@v5
with:
go-version: 1.24.11
id: go
- name: InstallKubebuilder
run: |
curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz | tar -xz -C /tmp/
sudo mv /tmp/kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder
export PATH=$PATH:/usr/local/kubebuilder/bin
- name: Install operator-sdk
run: |
RELEASE_VERSION=v1.14.0
curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/${RELEASE_VERSION}/operator-sdk_linux_amd64"
chmod +x operator-sdk_linux_amd64 && sudo mkdir -p /usr/local/bin/ && sudo mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk
- name: Set up yq
run: |
sudo wget https://github.com/mikefarah/yq/releases/download/v4.30.4/yq_linux_amd64 -O /usr/bin/yq
sudo chmod +x /usr/bin/yq
yq --help
- name: Build operator image
run: |
make generate
make helm-crds
image="function-mesh-operator:latest"
IMG=${image} make docker-build-skip-test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "function-mesh-operator:latest"
format: "table"
exit-code: "1"
- name: Build runner images
run: |
PULSAR_IMAGE_TAG=3.2.2.6 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh
- name: Run Trivy vulnerability scanner for java
id: scan-java-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: "pulsar-functions-java-runner:latest"
format: "table"
exit-code: "0"
- name: Run Trivy vulnerability scanner for python
id: scan-python-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: "pulsar-functions-python-runner:latest"
format: "table"
exit-code: "0"
- name: Run Trivy vulnerability scanner for go
id: scan-go-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: "pulsar-functions-go-runner:latest"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results-go.sarif"
severity: "LOW,MEDIUM,HIGH,CRITICAL"
exit-code: "0"
- name: Run Trivy vulnerability scanner for java with pulsarctl
id: scan-java-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: "pulsar-functions-pulsarctl-java-runner:latest"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "LOW,MEDIUM,HIGH,CRITICAL"
exit-code: "0"
- name: Run Trivy vulnerability scanner for python with pulsarctl
id: scan-python-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: "pulsar-functions-pulsarctl-python-runner:latest"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results-python.sarif"
severity: "LOW,MEDIUM,HIGH,CRITICAL"
exit-code: "0"
- name: Run Trivy vulnerability scanner for go with pulsarctl
id: scan-go-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: "pulsar-functions-pulsarctl-go-runner:latest"
format: "template"
exit-code: "0"
template: "@/contrib/sarif.tpl"
output: "trivy-results-pulsarctl.sarif"
severity: "LOW,MEDIUM,HIGH,CRITICAL"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
category: "Default"
- name: Upload Trivy go scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results-go.sarif"
category: "Golang"
- name: Upload Trivy pulsarctl scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results-pulsarctl.sarif"
category: "Pulsarctl"
- name: Upload Trivy python scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results-python.sarif"
category: "Python"