From 65df4fed03e2a8d13b7528e82d357a6554881a8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Serta=C3=A7=20=C3=96zercan?= <852750+sozercan@users.noreply.github.com> Date: Wed, 25 Oct 2023 17:14:50 -0700 Subject: [PATCH] ci: add govulncheck (#3114) Signed-off-by: Sertac Ozercan --- .github/workflows/scan-vulns.yaml | 74 +++++++++++++++++++++++++++++++ .github/workflows/workflow.yaml | 40 ----------------- 2 files changed, 74 insertions(+), 40 deletions(-) create mode 100644 .github/workflows/scan-vulns.yaml diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml new file mode 100644 index 00000000000..2384c140222 --- /dev/null +++ b/.github/workflows/scan-vulns.yaml @@ -0,0 +1,74 @@ +name: scan_vulns +on: + push: + paths-ignore: + - ".github/workflows/website.yaml" + - "docs/**" + - "library/**" + - "demo/**" + - "deprecated/**" + - "example/**" + - "website/**" + - "**.md" + - "!cmd/build/helmify/static/README.md" + pull_request: + paths-ignore: + - ".github/workflows/website.yaml" + - "docs/**" + - "library/**" + - "demo/**" + - "deprecated/**" + - "example/**" + - "website/**" + - "**.md" + - "!cmd/build/helmify/static/README.md" + +permissions: read-all + +jobs: + govulncheck: + name: "Run govulncheck" + runs-on: ubuntu-22.04 + timeout-minutes: 15 + steps: + - uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4 # v1.0.1 + + scan_vulnerabilities: + name: "[Trivy] Scan for vulnerabilities" + runs-on: ubuntu-22.04 + timeout-minutes: 15 + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Check out code into the Go module directory + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + + - name: Download trivy + run: | + pushd $(mktemp -d) + wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz + tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz + echo "$(pwd)" >> $GITHUB_PATH + env: + TRIVY_VERSION: "0.46.0" + + - name: Run trivy on git repository + run: | + trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln . + + - name: Build docker images + run: | + make docker-buildx \ + IMG=gatekeeper-e2e:latest + + make docker-buildx-crds \ + CRD_IMG=gatekeeper-crds:latest + + - name: Run trivy on images + run: | + for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do + trivy image --ignore-unfixed --vuln-type="os,library" "${img}" + done diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index fa07f951b2f..c2999028508 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -307,43 +307,3 @@ jobs: name: generatorexpansion-logs path: | logs-*.json - - scan_vulnerabilities: - name: "[Trivy] Scan for vulnerabilities" - runs-on: ubuntu-22.04 - timeout-minutes: 15 - steps: - - name: Harden Runner - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 - with: - egress-policy: audit - - - name: Check out code into the Go module directory - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - - name: Download trivy - run: | - pushd $(mktemp -d) - wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz - tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz - echo "$(pwd)" >> $GITHUB_PATH - env: - TRIVY_VERSION: "0.41.0" - - - name: Run trivy on git repository - run: | - trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln . - - - name: Build docker images - run: | - make docker-buildx \ - IMG=gatekeeper-e2e:latest - - make docker-buildx-crds \ - CRD_IMG=gatekeeper-crds:latest - - - name: Run trivy on images - run: | - for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do - trivy image --ignore-unfixed --vuln-type="os,library" "${img}" - done