From bdc261a5839e3b4d7077a65b4e0f7844d09ed841 Mon Sep 17 00:00:00 2001 From: ArkaSaha30 Date: Mon, 1 Apr 2024 17:12:25 +0530 Subject: [PATCH 1/3] Add trivy scan action for current branch HEAD Signed-off-by: ArkaSaha30 --- .github/workflows/trivy-scan-nightly.yaml | 31 +++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/trivy-scan-nightly.yaml diff --git a/.github/workflows/trivy-scan-nightly.yaml b/.github/workflows/trivy-scan-nightly.yaml new file mode 100644 index 00000000000..87581b4a34a --- /dev/null +++ b/.github/workflows/trivy-scan-nightly.yaml @@ -0,0 +1,31 @@ +name: Trivy Scan Nightly +on: + schedule: + - cron: '0 2 * * *' # run at 2 AM UTC +permissions: read-all +jobs: + nightly-scan: + name: Trivy Scan Nightly + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Get etcd HEAD version + id: get_etcd_version + run: echo "etcd_version=$(cat go.mod | grep "go.etcd.io/etcd/api/v3 v" | awk '{print $2}')" >> "$GITHUB_OUTPUT" + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 + with: + image-ref: 'gcr.io/etcd-development/etcd:${{ steps.get_etcd_version.outputs.etcd_version }}' + severity: 'CRITICAL,HIGH' + format: 'sarif' + output: 'trivy-results-${{ steps.get_etcd_version.outputs.etcd_version }}.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@956f09c2ef1926b580554b9014cfb8a51abf89dd # v2.16.6 + with: + sarif_file: 'trivy-results-${{ steps.get_etcd_version.outputs.etcd_version }}.sarif' \ No newline at end of file From caa523f2968a38e3ba008671a62c4b230bccc0e7 Mon Sep 17 00:00:00 2001 From: ArkaSaha30 Date: Mon, 1 Apr 2024 18:36:27 +0530 Subject: [PATCH 2/3] Fix yamllint Signed-off-by: ArkaSaha30 --- .github/workflows/trivy-scan-nightly.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy-scan-nightly.yaml b/.github/workflows/trivy-scan-nightly.yaml index 87581b4a34a..8c704c7976d 100644 --- a/.github/workflows/trivy-scan-nightly.yaml +++ b/.github/workflows/trivy-scan-nightly.yaml @@ -1,3 +1,4 @@ +--- name: Trivy Scan Nightly on: schedule: @@ -28,4 +29,4 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@956f09c2ef1926b580554b9014cfb8a51abf89dd # v2.16.6 with: - sarif_file: 'trivy-results-${{ steps.get_etcd_version.outputs.etcd_version }}.sarif' \ No newline at end of file + sarif_file: 'trivy-results-${{ steps.get_etcd_version.outputs.etcd_version }}.sarif' From 4e639e7e9b6004e52ae60a234420d785901a4331 Mon Sep 17 00:00:00 2001 From: ArkaSaha30 Date: Tue, 2 Apr 2024 14:13:33 +0530 Subject: [PATCH 3/3] Add trivy scan as a job in release workflow Signed-off-by: ArkaSaha30 --- .github/workflows/release.yaml | 38 +++++++++++++++++++++++ .github/workflows/trivy-scan-nightly.yaml | 32 ------------------- 2 files changed, 38 insertions(+), 32 deletions(-) delete mode 100644 .github/workflows/trivy-scan-nightly.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 336b99a4a8b..b8962a1a0e7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -32,3 +32,41 @@ jobs: - name: test-image run: | VERSION=3.6.99 ./scripts/test_images.sh + - name: save-image + run: | + docker image save -o /tmp/etcd-img.tar gcr.io/etcd-development/etcd + - name: upload-image + uses: actions/upload-artifact@v3 + with: + name: etcd-img + path: /tmp/etcd-img.tar + retention-days: 1 + trivy-scan: + needs: main + strategy: + fail-fast: false + matrix: + platforms: [amd64, arm64, ppc64le, s390x] + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name: get-image + uses: actions/download-artifact@v3 + with: + name: etcd-img + path: /tmp + - name: load-image + run: | + docker load < /tmp/etcd-img.tar + - name: trivy-scan + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 + with: + image-ref: 'gcr.io/etcd-development/etcd:v3.6.99-${{ matrix.platforms }}' + severity: 'CRITICAL,HIGH' + format: 'sarif' + output: 'trivy-results-${{ matrix.platforms }}.sarif' + - name: upload scan results + uses: github/codeql-action/upload-sarif@956f09c2ef1926b580554b9014cfb8a51abf89dd # v2.16.6 + with: + sarif_file: 'trivy-results-${{ matrix.platforms }}.sarif' diff --git a/.github/workflows/trivy-scan-nightly.yaml b/.github/workflows/trivy-scan-nightly.yaml deleted file mode 100644 index 8c704c7976d..00000000000 --- a/.github/workflows/trivy-scan-nightly.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Trivy Scan Nightly -on: - schedule: - - cron: '0 2 * * *' # run at 2 AM UTC -permissions: read-all -jobs: - nightly-scan: - name: Trivy Scan Nightly - permissions: - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Get etcd HEAD version - id: get_etcd_version - run: echo "etcd_version=$(cat go.mod | grep "go.etcd.io/etcd/api/v3 v" | awk '{print $2}')" >> "$GITHUB_OUTPUT" - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 - with: - image-ref: 'gcr.io/etcd-development/etcd:${{ steps.get_etcd_version.outputs.etcd_version }}' - severity: 'CRITICAL,HIGH' - format: 'sarif' - output: 'trivy-results-${{ steps.get_etcd_version.outputs.etcd_version }}.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@956f09c2ef1926b580554b9014cfb8a51abf89dd # v2.16.6 - with: - sarif_file: 'trivy-results-${{ steps.get_etcd_version.outputs.etcd_version }}.sarif'