[CI] Add Trivy vulnerables check

Signed-off-by: v.oleynikov <[email protected]>

Author: duckhawk

.github/workflows/trivy_check.yaml

@@ -0,0 +1,31 @@
+name: Trivy check for sub repos
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: Trivy check for sub repos
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Prepare sub repo
+        run: |
+          git clone --depth 1 --branch v4.7.0 ${{ secrets.SOURCE_REPO }}/kubernetes-csi/csi-driver-nfs.git ./csi-driver-nfs
+          cp -R ./images/csi-nfs/patches ./csi-driver-nfs
+          cd ./csi-driver-nfs
+          for patchfile in ./patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
+          cd ..
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml

images/csi-nfs/patches/0002-fix-go-mod.patch

@@ -0,0 +1,38 @@
+Subject: [PATCH] Fix go.mod
+---
+Index: go.mod
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/go.mod b/go.mod
+--- a/go.mod	(revision d774c858aa291b744ab83d9cf315dfea1056f1ce)
++++ b/go.mod	(revision 6a23511b5c0f26227f0fc78479ce4bd18bcedfd2)
+@@ -16,7 +16,7 @@
+ 	k8s.io/apimachinery v0.28.9
+ 	k8s.io/client-go v0.28.9
+ 	k8s.io/klog/v2 v2.120.1
+-	k8s.io/kubernetes v1.28.9
++	k8s.io/kubernetes v1.28.12
+ 	k8s.io/mount-utils v0.29.4
+ 	k8s.io/pod-security-admission v0.0.0
+ 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
+Index: go.sum
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/go.sum b/go.sum
+--- a/go.sum	(revision d774c858aa291b744ab83d9cf315dfea1056f1ce)
++++ b/go.sum	(revision 6a23511b5c0f26227f0fc78479ce4bd18bcedfd2)
+@@ -692,8 +692,8 @@
+ k8s.io/kubectl v0.28.9/go.mod h1:ip/zTUr1MM/H2M+YbPHnSKLt0x6kb85SJtRSjwEGDfs=
+ k8s.io/kubelet v0.28.9 h1:76v00fFLeniz27kXhGGUIxONdwa9LKcD2Jd5cXYAZko=
+ k8s.io/kubelet v0.28.9/go.mod h1:46P39DFjI+E59nU2OgpatyS3oWy58ClulKO6riZ/97o=
+-k8s.io/kubernetes v1.28.9 h1:I4sYGQJOuxEo4/QWoY7M8kDB7O0HcH266t6o6mR6ogg=
+-k8s.io/kubernetes v1.28.9/go.mod h1:chlmcCDBnOA/y+572cw8dO0Rci1wiA8bm5+zhPdFLCk=
++k8s.io/kubernetes v1.28.12 h1:DtWB8ZjoYiN/PXD4qDXFppf9IouVUavn6r3S+3NMUkU=
++k8s.io/kubernetes v1.28.12/go.mod h1:chlmcCDBnOA/y+572cw8dO0Rci1wiA8bm5+zhPdFLCk=
+ k8s.io/mount-utils v0.29.4 h1:tW/URea4gtXlaVW7VObr52NQhS+z3SXTg1GUaFZjRL4=
+ k8s.io/mount-utils v0.29.4/go.mod h1:SHUMR9n3b6tLgEmlyT36cL6fV6Sjwa5CJhc0guCXvb0=
+ k8s.io/pod-security-admission v0.28.9 h1:towoNqSp7aU7gF8T89zftCuQUfliyib3ds20Kz/hysg=

images/csi-nfs/patches/README.md

@@ -0,0 +1,6 @@
+## Patches
+
+### Fix go.mod
+
+It fixes https://avd.aquasec.com/nvd/2024/cve-2024-5321/
+MUST BE removed after switching to v4.9.0

images/csi-nfs/werf.inc.yaml

@@ -1,3 +1,4 @@
+# While changing tag, you MUST change it in .github/workflows/trivy_check.yaml
 {{- $version := "4.7.0" }}
 
 {{- $_ := set . "BASE_GOLANG_22_ALPINE" "registry.deckhouse.io/base_images/golang:1.22.3-alpine@sha256:dbf216b880b802c22e3f4f2ef0a78396b4a9a6983cb9b767c5efc351ebf946b0" }}

trivy.yaml

@@ -0,0 +1,2 @@
+format: table
+exit-code: 1