Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Release-1.28] Add trivy scanning to PR reports #6835

Merged
merged 2 commits into from
Sep 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 116 additions & 0 deletions .github/workflows/trivy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
name: PR Comment Triggered Trivy Scan

on:
issue_comment:
types: [created]

jobs:
trivy_scan:
if: github.event.issue.pull_request && github.event.comment.body == '/trivy' && github.event.issue.state == 'open'
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
permissions:
pull-requests: read
steps:
- name: Check if comment author is a public member of rancher organization
uses: actions/github-script@v7
with:
# Catch 404 errors if user is not a member of the organization
# 302 is expected as the GHA is not a member of the organization
# Users must be set their membership to public for this to work
# https://github.com/orgs/rancher/people
script: |
const org = context.repo.owner;
const username = context.payload.comment.user.login;
try {
const result = await github.rest.orgs.checkMembershipForUser({
org,
username,
});
} catch (error) {
core.setFailed(`User ${username} is not an public member of the ${org} organization`);
}

- name: Checkout PR code
uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.issue.number }}/head

# We don't care about the go version, as we only use it to capture ENV vars
- name: Install Go
uses: ./.github/actions/setup-go

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build RKE2 Image
id: build-image
run: |
SKIP_WINDOWS=true make build-image-runtime
TAG=$(docker images --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep "rancher/rke2-runtime" | sort -k2 -r | head -n1 | awk '{print $1}')
echo "TAG=${TAG}" >> "$GITHUB_OUTPUT"

- name: Run Trivy on image
uses: aquasecurity/[email protected]
with:
image-ref: '${{ steps.build-image.outputs.TAG }}'
format: 'table'
severity: "HIGH,CRITICAL"
output: "trivy-image-report.txt"

- name: Run Trivy on filesystem
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
severity: "HIGH,CRITICAL"
output: "trivy-fs-report.txt"

- name: Upload Trivy Reports
uses: actions/upload-artifact@v4
with:
name: trivy-report
path: |
trivy-image-report.txt
trivy-fs-report.txt
retention-days: 2
if-no-files-found: error

trivy_report:
needs: trivy_scan
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
permissions:
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
GH_REPO: ${{ github.repository }}
steps:
- name: Download Trivy Report
uses: actions/download-artifact@v4
with:
name: trivy-report

- name: Add Trivy Report to PR
run: |
cat trivy-image-report.txt trivy-fs-report.txt > trivy-report.txt
if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
echo '```' >> trivy-report.txt
gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt
else
echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt
gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt
fi

trivy_failure:
needs: trivy_scan
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
if: always() && needs.trivy_scan.result == 'failure'
permissions:
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
GH_REPO: ${{ github.repository }}
steps:
- name: Report Failure
run: |
gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:"
2 changes: 1 addition & 1 deletion scripts/build-image-runtime
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \
--file Dockerfile \
.

if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ]; then
if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ] && [ -z "$SKIP_WINDOWS" ]; then
DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \
--build-arg TAG=${VERSION} \
--build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \
Expand Down