-
Notifications
You must be signed in to change notification settings - Fork 27
172 lines (153 loc) · 5.63 KB
/
trivy_scheduled_master.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Scheduled master branch scan security vulnerabilities
on:
pull_request:
branches:
- 'master'
paths-ignore:
- 'docs/**'
- 'README.md'
- 'CHANGELOG.md'
- 'PROJECT'
- 'LICENSE'
- 'mesh-worker-service/README.md'
- 'tools/README.md'
schedule:
- cron: '0 0 * * *'
permissions:
pull-requests: write
issues: write
# For Trivy uploads to Github Security tab
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
jobs:
build:
name: Scan
permissions:
pull-requests: write
issues: write
security-events: write
actions: read
contents: read
runs-on: ubuntu-latest
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
repository: ${{github.event.pull_request.head.repo.full_name}}
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up GO 1.22.7
uses: actions/setup-go@v1
with:
go-version: 1.22.7
id: go
- name: InstallKubebuilder
run: |
curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz | tar -xz -C /tmp/
sudo mv /tmp/kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder
export PATH=$PATH:/usr/local/kubebuilder/bin
- name: Install operator-sdk
run: |
RELEASE_VERSION=v1.14.0
curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/${RELEASE_VERSION}/operator-sdk_linux_amd64"
chmod +x operator-sdk_linux_amd64 && sudo mkdir -p /usr/local/bin/ && sudo mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk
- name: Set up yq
run: |
sudo wget https://github.com/mikefarah/yq/releases/download/v4.30.4/yq_linux_amd64 -O /usr/bin/yq
sudo chmod +x /usr/bin/yq
yq --help
- name: Build operator image
run: |
make generate
make helm-crds
image="function-mesh-operator:latest"
IMG=${image} make docker-build-skip-test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'function-mesh-operator:latest'
format: 'table'
exit-code: '1'
- name: Build runner images
run: |
PULSAR_IMAGE_TAG=3.2.2.6 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh
- name: Run Trivy vulnerability scanner for java
id: scan-java-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-java-runner:latest'
format: 'table'
exit-code: '0'
- name: Run Trivy vulnerability scanner for python
id: scan-python-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-python-runner:latest'
format: 'table'
exit-code: '0'
- name: Run Trivy vulnerability scanner for go
id: scan-go-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-go-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-go.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'
- name: Run Trivy vulnerability scanner for java with pulsarctl
id: scan-java-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-java-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'
- name: Run Trivy vulnerability scanner for python with pulsarctl
id: scan-python-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-python-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-python.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'
- name: Run Trivy vulnerability scanner for go with pulsarctl
id: scan-go-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-go-runner:latest'
format: 'template'
exit-code: '0'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-pulsarctl.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
category: 'Default'
- name: Upload Trivy go scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-go.sarif'
category: 'Golang'
- name: Upload Trivy pulsarctl scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-pulsarctl.sarif'
category: 'Pulsarctl'
- name: Upload Trivy python scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-python.sarif'
category: 'Python'