Lacework Inline Scanner #1612
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| name: Lacework Inline Scanner | |
| on: | |
| workflow_run: | |
| workflows: ["Build"] | |
| types: [completed] | |
| branches: | |
| - "main" | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| required: true | |
| type: string | |
| description: "What Gitpod version to scan for CVEs" | |
| jobs: | |
| create-runner: | |
| uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main | |
| secrets: | |
| runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }} | |
| gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }} | |
| configuration: | |
| name: Configuration | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| needs: [create-runner] | |
| outputs: | |
| skip: ${{ steps.configuration.outputs.skip }} | |
| version: ${{ steps.configuration.outputs.version }} | |
| steps: | |
| - name: "Set outputs" | |
| id: configuration | |
| run: | | |
| if [[ '${{ github.event.workflow_run.run_number }}' == '' ]]; then | |
| # The workflow was triggered by workflow_dispatch | |
| { | |
| echo "version=${{ github.event.inputs.version }}" | |
| echo "skip=false" | |
| } >> $GITHUB_OUTPUT | |
| else | |
| # The workflow was triggered by workflow_run | |
| { | |
| echo "version=main-gha.${{ github.event.workflow_run.run_number }}" | |
| echo "skip=${{ github.event.workflow_run.conclusion == 'failure' }}" | |
| } >> $GITHUB_OUTPUT | |
| fi | |
| scan-images: | |
| name: Scan all docker images for CVEs | |
| # TODO(gpl) Could easily be run on ubuntu:latest if we pushed some bash in lw-scan-images.sh into the installer | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| needs: [configuration,create-runner] | |
| if: ${{ needs.configuration.outputs.skip == 'false' }} | |
| container: | |
| image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:pd-test-new-preview-gha.24525 | |
| steps: | |
| # Most of this is taken over from the Build workflow/preview-env-check-regressions workflow | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-environment | |
| with: | |
| identity_provider: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_PROVIDER || secrets.DEV_PREVIEW_PROVIDER }} | |
| service_account: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_SA || secrets.DEV_PREVIEW_SA }} | |
| leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
| - name: Lacework Inline Scanner | |
| id: lacework-inline-scanner | |
| shell: bash | |
| env: | |
| VERSION: ${{needs.configuration.outputs.version}} | |
| LW_ACCESS_TOKEN: "${{ secrets.LACEWORK_ACCESS_TOKEN }}" | |
| run: | | |
| $GITHUB_WORKSPACE/scripts/lw-scan-images.sh | |
| delete-runner: | |
| if: always() | |
| needs: | |
| - create-runner | |
| - configuration | |
| - scan-images | |
| uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main | |
| secrets: | |
| gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }} | |
| with: | |
| runner-label: ${{ needs.create-runner.outputs.label }} | |
| machine-zone: ${{ needs.create-runner.outputs.machine-zone }} |