Skip to content

Commit

Permalink
Add trivy scanning to PR reports (#6806)
Browse files Browse the repository at this point in the history
* Add trivy GHA workflow for scanning rke2-runtime image

Signed-off-by: Derek Nola <[email protected]>

* Use customer runners

Signed-off-by: Derek Nola <[email protected]>

---------

Signed-off-by: Derek Nola <[email protected]>
  • Loading branch information
dereknola committed Sep 17, 2024
1 parent 0c83bc8 commit f016d30
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 1 deletion.
72 changes: 72 additions & 0 deletions .github/workflows/trivy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: PR Comment Triggered Trivy Scan

on:
issue_comment:
types: [created]

jobs:
trivy_scan:
if: github.event.issue.pull_request && github.event.comment.body == '/trivy' && github.event.issue.state == 'open'
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
permissions:
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
steps:
- name: Checkout PR code
uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.issue.number }}/head

- name: Comment Status on PR
run: |
gh repo set-default ${{ github.repository }}
gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
# We don't care about the go version, as we only use it to capture ENV vars
- name: Install Go
uses: ./.github/actions/setup-go

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build RKE2 Image
id: build-image
run: |
SKIP_WINDOWS=true make build-image-runtime
TAG=$(docker images --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep "rancher/rke2-runtime" | sort -k2 -r | head -n1 | awk '{print $1}')
echo "TAG=${TAG}" >> "$GITHUB_OUTPUT"
- name: Run Trivy on image
uses: aquasecurity/[email protected]
with:
image-ref: '${{ steps.build-image.outputs.TAG }}'
format: 'table'
severity: "HIGH,CRITICAL"
output: "trivy-image-report.txt"

- name: Run Trivy on filesystem
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
severity: "HIGH,CRITICAL"
output: "trivy-fs-report.txt"

- name: Add Trivy Report to PR
run: |
sudo chown runner:runner trivy-image-report.txt trivy-fs-report.txt
cat trivy-image-report.txt trivy-fs-report.txt > trivy-report.txt
if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
echo '```' >> trivy-report.txt
gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
else
echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt
gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
fi
- name: Report Failure
if: ${{ failure() }}
run: |
gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"
2 changes: 1 addition & 1 deletion scripts/build-image-runtime
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \
--file Dockerfile \
.

if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ]; then
if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ] && [ -z "$SKIP_WINDOWS" ]; then
DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \
--build-arg TAG=${VERSION} \
--build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \
Expand Down

0 comments on commit f016d30

Please sign in to comment.