-
Notifications
You must be signed in to change notification settings - Fork 376
151 lines (149 loc) · 6.07 KB
/
trivy_scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Scan Antrea Docker image for vulnerabilities every day
on:
schedule:
# every day at 10am
- cron: '0 10 * * *'
workflow_dispatch:
inputs:
# This is useful for testing an arbitrary released version of Antrea.
# If left unset, we will use the latest release (obtained using the Github API).
antrea-version:
description: 'The released Antrea version to scan'
type: string
required: false
no-cache:
description: 'Do not use a cached Trivy DB'
type: boolean
default: false
jobs:
build:
if: github.repository == 'antrea-io/antrea'
runs-on: ubuntu-latest
steps:
- name: Find greatest Antrea version
id: find-antrea-greatest-version
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION=${{ inputs.antrea-version }}
if [ -z "$VERSION" ]; then
VERSION=$(gh api /repos/antrea-io/antrea/releases/latest --jq '.tag_name')
fi
echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT
- name: Pull Antrea Docker images
id: pull
run: |
docker pull antrea/antrea-agent-ubuntu:latest
docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
docker pull antrea/antrea-controller-ubuntu:latest
docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
- name: Install Trivy
uses: aquasecurity/[email protected]
- name: Get current UTC date
id: date
run: echo "date=$(date -u +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Restore Trivy DB cache
if: ${{ !inputs.no-cache }}
id: restore-db-cache
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-db-${{ steps.date.outputs.date }}
restore-keys: cache-trivy-db-
- name: Download Trivy DB
# We download the DB at most once a day, when there is no cache hit.
if: ${{ inputs.no-cache || steps.restore-db-cache.outputs.cache-hit != 'true' }}
# Try downloading the vulnerability DB up to 5 times, to account for TOOMANYREQUESTS errors.
# Need to specify the correct location for the download (using --cache-dir), so that
# aquasecurity/trivy-action can find it.
run: |
for i in {1..5}; do trivy image --download-db-only --cache-dir $GITHUB_WORKSPACE/.cache/trivy && break || sleep 1; done
- name: Save Trivy DB cache
if: ${{ !inputs.no-cache && steps.restore-db-cache.outputs.cache-hit != 'true' }}
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: ${{ steps.restore-db-cache.outputs.cache-primary-key }}
- name: Run Trivy vulnerability scanner on latest antrea-agent Docker image
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/[email protected]
# we cannot use .trivy.yml as we need to override some config parameters
# and that is not supported by aquasecurity/trivy-action
with:
scan-type: 'image'
image-ref: 'antrea/antrea-agent-ubuntu:latest'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.agent.latest.txt'
skip-setup-trivy: true
# Skip caching, as we do it manually when we download the DB in the previous step.
cache: 'false'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Run Trivy vulnerability scanner on latest antrea-controller Docker image
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/[email protected]
# we cannot use .trivy.yml as we need to override some config parameters
# and that is not supported by aquasecurity/trivy-action
with:
scan-type: 'image'
image-ref: 'antrea/antrea-controller-ubuntu:latest'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.controller.latest.txt'
skip-setup-trivy: true
cache: 'false'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.agent.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
skip-setup-trivy: true
cache: 'false'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.controller.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
skip-setup-trivy: true
cache: 'false'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan reports
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: actions/upload-artifact@v4
with:
name: trivy-scan-reports
path: trivy.*.txt
retention-days: 90 # max value
skip:
if: github.repository != 'antrea-io/antrea'
runs-on: ubuntu-latest
steps:
- name: Skip
run: |
echo "Skipping image scan because workflow cannot be run from fork"