Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Get and scan images, and report vulnerabilities | ||
on: | ||
workflow_call: | ||
inputs: | ||
bundle-path: | ||
description: The bundle path on which the vulnerability scan will be executed | ||
required: true | ||
type: string | ||
secrets: | ||
github-token: | ||
required: true | ||
jobs: | ||
get-images: | ||
name: Get images | ||
runs-on: ubuntu-22.04 | ||
outputs: | ||
images-array: ${{ steps.set-images-array.outputs.images-array }} | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
- name: Run get-all-images.py | ||
run: | | ||
# pip3 install -r scripts/requirements.txt | ||
# python3 scripts/get-all-images.py releases/${{ inputs.bundle-path }}/bundle.yaml > /tmp/images_list.txt | ||
# DEBUG: test with just one image | ||
echo "charmedkubeflow/api-server:2.0.5-63c48d5" > /tmp/images_list.txt | ||
- name: Generate an array of images | ||
id: set-images-array | ||
run: | | ||
# Output the images as an array that can be used in the matrix strategy for the scan images job | ||
# This array contains all the images from /tmp/image_list.txt | ||
sudo snap install jq | ||
# TODO: We could just list the images that the team maintains to avoid scanning | ||
# images that we cannot fix. Leaving it as a POC. | ||
# IMAGES=$(cat /tmp/images_list.txt | jq -R -s -c 'split("\n")[:-1]') | ||
IMAGES=$(cat /tmp/images_list.txt | grep 'charmedkubeflow' | jq -R -s -c 'split("\n")[:-1]') | ||
echo "images-array=$IMAGES" >> $GITHUB_OUTPUT | ||
scan-images: | ||
name: Run vulnerability scans and report | ||
runs-on: ubuntu-22.04 | ||
needs: get-images | ||
outputs: | ||
report-path: ${{ steps.report-path.outputs.report-path }} | ||
release-track: ${{ steps.release-track.outputs.release-track }} | ||
image-name: ${{ steps.image-name.outputs.image-name }} | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
image: ${{ fromJSON(needs.get-images.outputs.images-array) }} | ||
steps: | ||
- name: Generate report path | ||
id: report-path | ||
run: | | ||
FILENAME=$(echo ${{ matrix.image }} | sed 's/:/-/g; s/\//-/g; s/\./-/g') | ||
PATH="${FILENAME}.txt" | ||
echo "report-path=$PATH" >> $GITHUB_OUTPUT | ||
# Only scan the images that this team maintains | ||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: ${{ matrix.image }} | ||
scan-type: image | ||
output: '${{ steps.report-path.outputs.report-path }}' | ||
format: 'table' | ||
exit-code: '1' | ||
ignore-unfixed: true | ||
severity: 'CRITICAL,HIGH' | ||
# NOTE: pebble is flagged with a HIGH vuln because of golang.org/x/crypto | ||
# CVE-2021-43565, CVE-2022-27191 | ||
skip-files: '/bin/pebble,/usr/bin/pebble,usr/bin/pebble,bin/pebble' | ||
# Workaround for https://github.com/aquasecurity/trivy-action/issues/389 | ||
env: | ||
ACTIONS_RUNTIME_TOKEN: ${{ secrets.github-token }} | ||
- name: Output image name | ||
id: image-name | ||
run: echo "image-name=${{ matrix.image }}" >> $GITHUB_OUTPUT | ||
- name: Generate release track | ||
if: failure() | ||
id: release-track | ||
run: | | ||
RELEASE_TRACK=$(echo ${{ inputs.bundle-path }} | sed 's/\//-/g') | ||
echo "release-track=$RELEASE_TRACK" >> $GITHUB_OUTPUT | ||
- name: Upload Trivy reports | ||
if: failure() | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: ${{ steps.release-track.outputs.release-track }}-${{ steps.report-path.outputs.report-path }} | ||
path: ${{ steps.report-path.outputs.report-path }} | ||
- name: Print vulnerability report | ||
if: failure() | ||
run: cat ${{ steps.report-path.outputs.report-path }} | ||
report-issues: | ||
name: Report issue if vulnerability is found | ||
runs-on: ubuntu-22.04 | ||
needs: [get-images, scan-images] | ||
if: ${{ always() && contains(needs.scan-images.result, 'failure') }} | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
- name: Install gh | ||
run: sudo snap install gh | ||
- name: Download vulnerability report | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: ${{ needs.scan-images.outputs.release-track }}-${{ needs.scan-images.outputs.report-path }} | ||
path: /tmp/ | ||
- name: Create/edit issue for vulnerability reports | ||
uses: ./.github/workflows/report-vulnerability-in-gh.yaml | ||
with: | ||
issue-title: "Vulnerabilities found for ${{ needs.scan-images.outputs.image-name }}" | ||
issue-body-file: "/tmp/${{ needs.scan-images.outputs.report-path }}" | ||
# - name: Get issue number if exists | ||
# id: get-issue-number | ||
# if: failure() | ||
# run: | | ||
# export GH_TOKEN=${{ secrets.github-token }} | ||
# export GITHUB_TOKEN=${{ secrets.github-token }} | ||
# EXPECTED_TITLE="Vulnerabilities found for ${{ matrix.image }}" | ||
# ISSUE_NUMBER=$(gh issue list --repo $GITHUB_REPOSITORY --limit 500 --json "number,title" | jq -r --arg expected_title "$EXPECTED_TITLE" '.[] | select(.title == $expected_title) | .number') | ||
# echo "issue-number=$ISSUE_NUMBER" >> $GITHUB_OUTPUT | ||
# | ||
# - name: Issue body | ||
# id: issue-body | ||
# if: failure() | ||
# run: | | ||
# title="Vulnerabilities found for ${{ matrix.image }}" | ||
# echo "## $title" > issue.md | ||
# echo "" >> issue.md | ||
# echo "\`\`\`" >> issue.md | ||
# cat ${{ steps.report-path.outputs.report-path }} >> issue.md | ||
# echo "\`\`\`" >> issue.md | ||
# echo "" >> issue.md | ||
# echo -e "\nDetails: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md | ||
# echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT" | ||
# | ||
# - name: Report failures via Github issue | ||
# if: failure() | ||
# run: | | ||
# export GH_TOKEN=${{ secrets.github-token }} | ||
# export GITHUB_TOKEN=${{ secrets.github-token }} | ||
# if [ -z ${{ steps.get-issue-number.outputs.issue-number }} ]; then | ||
# echo "---- Creating issue ----" | ||
# gh issue create --repo $GITHUB_REPOSITORY \ | ||
# --title "Vulnerabilities found for ${{ matrix.image }}" \ | ||
# --label "bug,(auto) vulnerability" \ | ||
# --body-file "${{ steps.issue-body.outputs.issue-body-file }}" | ||
# else | ||
# echo "---- Editing issue ${{ steps.get-issue-number.outputs.issue-number }}----" | ||
# gh issue edit --repo $GITHUB_REPOSITORY ${{ steps.get-issue-number.outputs.issue-number }} \ | ||
# --title "Vulnerabilities found for ${{ matrix.image }}" \ | ||
# --body-file "${{ steps.issue-body.outputs.issue-body-file }}" | ||
# fi |