Skip to content

skip refactor

skip refactor #1

name: Get and scan images, and report vulnerabilities
on:
workflow_call:
inputs:
bundle-path:
description: The bundle path on which the vulnerability scan will be executed
required: true
type: string
secrets:
github-token:
required: true
jobs:
get-images:
name: Get images
runs-on: ubuntu-22.04
outputs:
images-array: ${{ steps.set-images-array.outputs.images-array }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run get-all-images.py
run: |
# pip3 install -r scripts/requirements.txt
# python3 scripts/get-all-images.py releases/${{ inputs.bundle-path }}/bundle.yaml > /tmp/images_list.txt
# DEBUG: test with just one image
echo "charmedkubeflow/api-server:2.0.5-63c48d5" > /tmp/images_list.txt
- name: Generate an array of images
id: set-images-array
run: |
# Output the images as an array that can be used in the matrix strategy for the scan images job
# This array contains all the images from /tmp/image_list.txt
sudo snap install jq
# TODO: We could just list the images that the team maintains to avoid scanning
# images that we cannot fix. Leaving it as a POC.
# IMAGES=$(cat /tmp/images_list.txt | jq -R -s -c 'split("\n")[:-1]')
IMAGES=$(cat /tmp/images_list.txt | grep 'charmedkubeflow' | jq -R -s -c 'split("\n")[:-1]')
echo "images-array=$IMAGES" >> $GITHUB_OUTPUT
scan-images:
name: Run vulnerability scans and report
runs-on: ubuntu-22.04
needs: get-images
outputs:
report-path: ${{ steps.report-path.outputs.report-path }}
release-track: ${{ steps.release-track.outputs.release-track }}
image-name: ${{ steps.image-name.outputs.image-name }}
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.get-images.outputs.images-array) }}
steps:
- name: Generate report path
id: report-path
run: |
FILENAME=$(echo ${{ matrix.image }} | sed 's/:/-/g; s/\//-/g; s/\./-/g')
PATH="${FILENAME}.txt"
echo "report-path=$PATH" >> $GITHUB_OUTPUT
# Only scan the images that this team maintains
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ matrix.image }}
scan-type: image
output: '${{ steps.report-path.outputs.report-path }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
# NOTE: pebble is flagged with a HIGH vuln because of golang.org/x/crypto
# CVE-2021-43565, CVE-2022-27191
skip-files: '/bin/pebble,/usr/bin/pebble,usr/bin/pebble,bin/pebble'
# Workaround for https://github.com/aquasecurity/trivy-action/issues/389
env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.github-token }}
- name: Output image name
id: image-name
run: echo "image-name=${{ matrix.image }}" >> $GITHUB_OUTPUT
- name: Generate release track
if: failure()
id: release-track
run: |
RELEASE_TRACK=$(echo ${{ inputs.bundle-path }} | sed 's/\//-/g')
echo "release-track=$RELEASE_TRACK" >> $GITHUB_OUTPUT
- name: Upload Trivy reports
if: failure()
uses: actions/upload-artifact@v4
with:
name: ${{ steps.release-track.outputs.release-track }}-${{ steps.report-path.outputs.report-path }}
path: ${{ steps.report-path.outputs.report-path }}
- name: Print vulnerability report
if: failure()
run: cat ${{ steps.report-path.outputs.report-path }}
report-issues:
name: Report issue if vulnerability is found
runs-on: ubuntu-22.04
needs: [get-images, scan-images]
if: ${{ always() && contains(needs.scan-images.result, 'failure') }}
steps:

Check failure on line 109 in .github/workflows/get-images-scan-and-upload-report.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/get-images-scan-and-upload-report.yaml

Invalid workflow file

You have an error in your yaml syntax on line 109
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install gh
run: sudo snap install gh
- name: Download vulnerability report
uses: actions/download-artifact@v4
with:
name: ${{ needs.scan-images.outputs.release-track }}-${{ needs.scan-images.outputs.report-path }}
path: /tmp/
- name: Create/edit issue for vulnerability reports
uses: ./.github/workflows/report-vulnerability-in-gh.yaml
with:
issue-title: "Vulnerabilities found for ${{ needs.scan-images.outputs.image-name }}"
issue-body-file: "/tmp/${{ needs.scan-images.outputs.report-path }}"
# - name: Get issue number if exists
# id: get-issue-number
# if: failure()
# run: |
# export GH_TOKEN=${{ secrets.github-token }}
# export GITHUB_TOKEN=${{ secrets.github-token }}
# EXPECTED_TITLE="Vulnerabilities found for ${{ matrix.image }}"
# ISSUE_NUMBER=$(gh issue list --repo $GITHUB_REPOSITORY --limit 500 --json "number,title" | jq -r --arg expected_title "$EXPECTED_TITLE" '.[] | select(.title == $expected_title) | .number')
# echo "issue-number=$ISSUE_NUMBER" >> $GITHUB_OUTPUT
#
# - name: Issue body
# id: issue-body
# if: failure()
# run: |
# title="Vulnerabilities found for ${{ matrix.image }}"
# echo "## $title" > issue.md
# echo "" >> issue.md
# echo "\`\`\`" >> issue.md
# cat ${{ steps.report-path.outputs.report-path }} >> issue.md
# echo "\`\`\`" >> issue.md
# echo "" >> issue.md
# echo -e "\nDetails: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md
# echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
#
# - name: Report failures via Github issue
# if: failure()
# run: |
# export GH_TOKEN=${{ secrets.github-token }}
# export GITHUB_TOKEN=${{ secrets.github-token }}
# if [ -z ${{ steps.get-issue-number.outputs.issue-number }} ]; then
# echo "---- Creating issue ----"
# gh issue create --repo $GITHUB_REPOSITORY \
# --title "Vulnerabilities found for ${{ matrix.image }}" \
# --label "bug,(auto) vulnerability" \
# --body-file "${{ steps.issue-body.outputs.issue-body-file }}"
# else
# echo "---- Editing issue ${{ steps.get-issue-number.outputs.issue-number }}----"
# gh issue edit --repo $GITHUB_REPOSITORY ${{ steps.get-issue-number.outputs.issue-number }} \
# --title "Vulnerabilities found for ${{ matrix.image }}" \
# --body-file "${{ steps.issue-body.outputs.issue-body-file }}"
# fi