Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add trivy scanning to PR reports #6806

Merged
merged 2 commits into from
Sep 12, 2024
Merged

Add trivy scanning to PR reports #6806

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
537814f
Add trivy GHA workflow for scanning rke2-runtime image
dereknola Sep 3, 2024
a2acf4e
Use customer runners
dereknola Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions .github/workflows/trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: PR Comment Triggered Trivy Scan

on:
issue_comment:
types: [created]

jobs:
trivy_scan:
if: github.event.issue.pull_request && github.event.comment.body == '/trivy' && github.event.issue.state == 'open'
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
permissions:
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
steps:
- name: Checkout PR code
uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.issue.number }}/head

- name: Comment Status on PR
run: |
gh repo set-default ${{ github.repository }}
gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "

# We don't care about the go version, as we only use it to capture ENV vars
- name: Install Go
uses: ./.github/actions/setup-go

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build RKE2 Image
id: build-image
run: |
SKIP_WINDOWS=true make build-image-runtime
TAG=$(docker images --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep "rancher/rke2-runtime" | sort -k2 -r | head -n1 | awk '{print $1}')
echo "TAG=${TAG}" >> "$GITHUB_OUTPUT"

- name: Run Trivy on image
uses: aquasecurity/[email protected]
with:
image-ref: '${{ steps.build-image.outputs.TAG }}'
format: 'table'
severity: "HIGH,CRITICAL"
output: "trivy-image-report.txt"

- name: Run Trivy on filesystem
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
severity: "HIGH,CRITICAL"
output: "trivy-fs-report.txt"

- name: Add Trivy Report to PR
run: |
sudo chown runner:runner trivy-image-report.txt trivy-fs-report.txt
cat trivy-image-report.txt trivy-fs-report.txt > trivy-report.txt
if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
echo '```' >> trivy-report.txt
gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
else
echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt
gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
fi

- name: Report Failure
if: ${{ failure() }}
run: |
gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"
2 changes: 1 addition & 1 deletion scripts/build-image-runtime
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \
--file Dockerfile \
.

if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ]; then
if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ] && [ -z "$SKIP_WINDOWS" ]; then
DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \
--build-arg TAG=${VERSION} \
--build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \
Expand Down
Loading