Merge branch 'main' of github.com:cnwaldron/trivy-operator into main

cnwaldron · Nov 15, 2023 · e94c957 · e94c957
2 parents 6a87caf + 567bc7d
commit e94c957
Show file tree

Hide file tree

Showing 66 changed files with 13,479 additions and 183 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -41,7 +41,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.3
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
       - name: Verify Go code
@@ -70,7 +70,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.3
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
       - name: Run unit tests
@@ -93,7 +93,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.3
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
       - name: Run envtest
@@ -116,7 +116,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.3
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
       - name: Setup Kubernetes cluster (KIND)
@@ -224,6 +224,27 @@ jobs:
           ./bin/kuttl test --start-kind=false --config
           tests/config/client-server.yaml
 
+          ./tests/resources-cleanup.sh > /dev/null 2>&1
+      - name: Standalon mode with Sbom scanning
+          reports tests
+        run: >
+          ./bin/kuttl test --start-kind=false --config
+          tests/config/sbom-standalone.yaml
+
+          ./tests/resources-cleanup.sh > /dev/null 2>&1
+      - name: Client/Server with Sbom scanning
+          reports tests
+        run: >
+          ./bin/kuttl test --start-kind=false --config
+          tests/config/client-server-sbom.yaml
+
+          ./tests/resources-cleanup.sh > /dev/null 2>&1
+      - name: file system with Sbom scanning
+          reports tests
+        run: >
+          ./bin/kuttl test --start-kind=false --config
+          tests/config/fs-sbom.yaml
+
           ./tests/resources-cleanup.sh > /dev/null 2>&1
       - name: Node scan producing cluster infraassessment report
         run: >

diff --git a/.github/workflows/chart-testing.yaml b/.github/workflows/chart-testing.yaml
@@ -81,7 +81,7 @@ jobs:
           python-version: 3.7
       - name: Setup chart-testing
         id: lint
-        uses: helm/[email protected].0
+        uses: helm/[email protected].1
       - name: Run chart-testing
         run: ct lint-and-install --validate-maintainers=false --charts deploy/helm
       - name: Delete kind cluster

diff --git a/.github/workflows/publish-helm-chart.yaml b/.github/workflows/publish-helm-chart.yaml
@@ -32,7 +32,7 @@ jobs:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
-        uses: helm/[email protected].0
+        uses: helm/[email protected].1
       - name: Setup Kubernetes cluster (KIND)
         uses: helm/[email protected] # v1.5.0
         with:

diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml
@@ -36,7 +36,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3.1.2
+        uses: sigstore/cosign-installer@v3.2.0
       - name: Release snapshot
         uses: goreleaser/goreleaser-action@v5
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -27,7 +27,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.3
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
       - name: Run unit tests
@@ -46,7 +46,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.3
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
       - name: Setup Kubernetes cluster (KIND)
@@ -95,7 +95,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3.1.2
+        uses: sigstore/cosign-installer@v3.2.0
       - name: Login to docker.io registry
         uses: docker/[email protected]
         with:

diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -31,14 +31,15 @@ Keeps security report resources updated
 | nodeCollector.imagePullSecret | string | `nil` | imagePullSecret is the secret name to be used when pulling node-collector image from private registries example : reg-secret It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace |
 | nodeCollector.registry | string | `"ghcr.io"` | registry of the node-collector image |
 | nodeCollector.repository | string | `"aquasecurity/node-collector"` | repository of the node-collector image |
-| nodeCollector.tag | string | `"0.0.8"` | tag version of the node-collector image |
+| nodeCollector.tag | string | `"0.0.9"` | tag version of the node-collector image |
 | nodeCollector.volumeMounts | list | `[{"mountPath":"/var/lib/etcd","name":"var-lib-etcd","readOnly":true},{"mountPath":"/var/lib/kubelet","name":"var-lib-kubelet","readOnly":true},{"mountPath":"/var/lib/kube-scheduler","name":"var-lib-kube-scheduler","readOnly":true},{"mountPath":"/var/lib/kube-controller-manager","name":"var-lib-kube-controller-manager","readOnly":true},{"mountPath":"/etc/systemd","name":"etc-systemd","readOnly":true},{"mountPath":"/lib/systemd/","name":"lib-systemd","readOnly":true},{"mountPath":"/etc/kubernetes","name":"etc-kubernetes","readOnly":true},{"mountPath":"/etc/cni/net.d/","name":"etc-cni-netd","readOnly":true}]` | node-collector pod volume mounts definition for collecting config files information |
 | nodeCollector.volumes | list | `[{"hostPath":{"path":"/var/lib/etcd"},"name":"var-lib-etcd"},{"hostPath":{"path":"/var/lib/kubelet"},"name":"var-lib-kubelet"},{"hostPath":{"path":"/var/lib/kube-scheduler"},"name":"var-lib-kube-scheduler"},{"hostPath":{"path":"/var/lib/kube-controller-manager"},"name":"var-lib-kube-controller-manager"},{"hostPath":{"path":"/etc/systemd"},"name":"etc-systemd"},{"hostPath":{"path":"/lib/systemd"},"name":"lib-systemd"},{"hostPath":{"path":"/etc/kubernetes"},"name":"etc-kubernetes"},{"hostPath":{"path":"/etc/cni/net.d/"},"name":"etc-cni-netd"}]` | node-collector pod volumes definition for collecting config files information |
 | nodeSelector | object | `{}` | nodeSelector set the operator nodeSelector |
 | operator.accessGlobalSecretsAndServiceAccount | bool | `true` | accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries |
 | operator.batchDeleteDelay | string | `"10s"` | batchDeleteDelay the duration to wait before deleting another batch of config audit reports. |
 | operator.batchDeleteLimit | int | `10` | batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed. |
 | operator.builtInTrivyServer | bool | `false` | builtInTrivyServer The flag enable the usage of built-in trivy server in cluster ,its also override the following trivy params with built-in values trivy.mode = ClientServer and serverURL = http://<serverServiceName>.<trivy operator namespace>:4975 |
+| operator.cacheReportTTL | string | `"120h"` | cacheReportTTL the flag to set how long a cluster sbom report should exist. "" means that the cacheReportTTL feature is disabled |
 | operator.clusterComplianceEnabled | bool | `true` | clusterComplianceEnabled the flag to enable cluster compliance scanner |
 | operator.configAuditScannerEnabled | bool | `true` | configAuditScannerEnabled the flag to enable configuration audit scanner |
 | operator.configAuditScannerScanOnlyCurrentRevisions | bool | `true` | configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment. |
@@ -112,7 +113,7 @@ Keeps security report resources updated
 | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) |
 | trivy.image.registry | string | `"ghcr.io"` | registry of the Trivy image |
 | trivy.image.repository | string | `"aquasecurity/trivy"` | repository of the Trivy image |
-| trivy.image.tag | string | `"0.45.1"` | tag version of the Trivy image |
+| trivy.image.tag | string | `"0.47.0"` | tag version of the Trivy image |
 | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. |
 | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. |
 | trivy.javaDbRegistry | string | `"ghcr.io"` | javaDbRegistry is the registry for the Java vulnerability database. |