trivy-images #2341
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: trivy-images | |
| on: | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: "37 19 * * *" | |
| permissions: | |
| contents: read | |
| jobs: | |
| get-dev-image: | |
| uses: ./.github/workflows/get_image.yaml | |
| with: | |
| image-base-name: "dev_image_with_extras" | |
| image-scan: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| artifact: [cloud, operator, vizier] | |
| runs-on: oracle-8cpu-32gb-x86-64 | |
| needs: get-dev-image | |
| container: | |
| image: ${{ needs.get-dev-image.outputs.image-with-tag }} | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Add pwd to git safe dir | |
| run: git config --global --add safe.directory `pwd` | |
| - name: Use github bazel config | |
| uses: ./.github/actions/bazelrc | |
| with: | |
| download_toplevel: 'true' | |
| BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} | |
| - name: Build images | |
| run: | | |
| ./scripts/bazel_ignore_codes.sh build \ | |
| --//k8s:image_version=nightly --config=x86_64_sysroot \ | |
| //k8s/${{ matrix.artifact }}:image_bundle.tar //k8s/${{ matrix.artifact }}:list_image_bundle | |
| - name: Load Images | |
| run: | | |
| docker load -i bazel-bin/k8s/${{ matrix.artifact }}/image_bundle.tar | |
| - name: Scan Images | |
| # yamllint disable rule:line-length | |
| run: | | |
| mkdir -p sarif/${{ matrix.artifact }} | |
| ./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image --scanners vuln {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif' | |
| # TODO(ddelnano): Remove this check once the operator dependency images are supported. | |
| # This requires rendering helm templates and requires some additional work. | |
| if [ "${{ matrix.artifact }}" = "operator" ]; then | |
| echo "Skipping operator image scan for now." | |
| exit 0 | |
| fi | |
| echo "Found non bazel images for ${{ matrix.artifact }}." | |
| ./scripts/bazel_ignore_codes.sh build \ | |
| //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list | |
| mkdir -p sarif/${{ matrix.artifact }}_deps | |
| # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-) | |
| # The deps images must have their file named processed differently to avoid conflicts with the image name. For example, | |
| # ory/hydra:v1.9.2-alpine and ory/hydra:v1.9.2-sqlite must not conflict. | |
| cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image --scanners vuln {} --format=sarif --output=sarif/${{ matrix.artifact }}_deps/$(basename {} | cut -d"@" -f1 | tr ":" "_").sarif' | |
| # yamllint enable rule:line-length | |
| - run: | | |
| # Loop through all ${artifact} and ${artifact}_deps sarif files | |
| for f in "sarif/${{ matrix.artifact }}"*/*; do | |
| jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp | |
| # The runAutomationDetails's object must contain a unique category as required by the CodeQL SARIF uploader | |
| # The id value will be interpreted like so: "${category}/${run_id}" | |
| filename=$(basename "$f")/ | |
| jq --arg id "$filename" '.runs[].automationDetails.id = $id' < tmp > "$f" | |
| done | |
| - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 | |
| with: | |
| sarif_file: sarif/${{ matrix.artifact }} | |
| # TODO(ddelnano): Remove this check once the operator dependency images are supported. | |
| # This requires rendering helm templates and requires some additional work. | |
| - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 | |
| if: ${{ matrix.artifact != 'operator' }} | |
| with: | |
| sarif_file: sarif/${{ matrix.artifact }}_deps |