Scan Antrea Docker image for vulnerabilities every day #543
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scan Antrea Docker image for vulnerabilities every day | |
on: | |
schedule: | |
# every day at 10am | |
- cron: '0 10 * * *' | |
workflow_dispatch: | |
inputs: | |
# This is useful for testing an arbitrary released version of Antrea. | |
# If left unset, we will use the latest release (obtained using the Github API). | |
antrea-version: | |
description: 'The released Antrea version to scan' | |
type: string | |
required: false | |
jobs: | |
build: | |
if: github.repository == 'antrea-io/antrea' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Find greatest Antrea version | |
id: find-antrea-greatest-version | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
VERSION=${{ inputs.antrea-version }} | |
if [ -z "$VERSION" ]; then | |
VERSION=$(gh api /repos/antrea-io/antrea/releases/latest --jq '.tag_name') | |
fi | |
echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT | |
- name: Pull Antrea Docker images | |
id: pull | |
run: | | |
docker pull antrea/antrea-agent-ubuntu:latest | |
docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} | |
docker pull antrea/antrea-controller-ubuntu:latest | |
docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} | |
- name: Run Trivy vulnerability scanner on latest antrea-agent Docker image | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: aquasecurity/[email protected] | |
# we cannot use .trivy.yml as we need to override some config parameters | |
# and that is not supported by aquasecurity/trivy-action | |
with: | |
scan-type: 'image' | |
image-ref: 'antrea/antrea-agent-ubuntu:latest' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'table' | |
output: 'trivy.agent.latest.txt' | |
- name: Run Trivy vulnerability scanner on latest antrea-controller Docker image | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: aquasecurity/[email protected] | |
# we cannot use .trivy.yml as we need to override some config parameters | |
# and that is not supported by aquasecurity/trivy-action | |
with: | |
scan-type: 'image' | |
image-ref: 'antrea/antrea-controller-ubuntu:latest' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'table' | |
output: 'trivy.controller.latest.txt' | |
- name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: aquasecurity/[email protected] | |
with: | |
scan-type: 'image' | |
image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'table' | |
output: 'trivy.agent.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt' | |
- name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: aquasecurity/[email protected] | |
with: | |
scan-type: 'image' | |
image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'table' | |
output: 'trivy.controller.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt' | |
- name: Upload Trivy scan reports | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: trivy-scan-reports | |
path: trivy.*.txt | |
retention-days: 90 # max value | |
skip: | |
if: github.repository != 'antrea-io/antrea' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Skip | |
run: | | |
echo "Skipping image scan because workflow cannot be run from fork" |