Trivy Scan #530
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Trivy Scan | |
on: | |
workflow_dispatch: {} | |
schedule: | |
# run every day at 3:07am UTC | |
- cron: '7 3 * * *' | |
env: | |
DOCKER_USR: ${{ secrets.DOCKER_USR }} | |
permissions: | |
contents: read | |
jobs: | |
generate-matrix: | |
runs-on: ubuntu-latest | |
if: github.repository == 'crossplane/crossplane' | |
outputs: | |
versions: ${{ steps.get-releases.outputs.versions}} | |
supported_releases: ${{ steps.get-releases.outputs.supported_releases }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
with: | |
fetch-depth: 0 | |
- name: Get Last 3 Releases | |
id: get-releases | |
shell: bash | |
## find the 3 latest supported releases and their latest patch releases, storing them in the steps' outputs | |
run: | | |
# get the last 3 releases in "vX.Y" form | |
supported_releases="$(git for-each-ref --sort='-committerdate' --format='%(refname:short)' --count=3 'refs/remotes/origin/release-*' | sed 's/.*release-/v/g')" | |
if [ -z "$supported_releases" ] | |
then | |
echo "DEBUG: No supported releases found" | |
echo "DEBUG: $(git for-each-ref 'refs/remotes')" | |
exit 1 | |
fi | |
echo "DEBUG: ${supported_releases}" | |
# get the latest non-rc tag for each release | |
tags="" | |
while IFS= read -r version; do | |
tag="$(git for-each-ref --sort=-taggerdate --count=1 'refs/tags/'${version}'.[\!-rc.*]' --format='%(tag)')" | |
if [ -z "$tag" ] | |
then | |
echo "No tags found for version ${version}, ${tag}" | |
echo "DEBUG: $(git for-each-ref 'refs/tags')" | |
exit 1 | |
fi | |
tags="${tags} ${version}=${tag}" | |
done <<< "${supported_releases}" | |
echo "DEBUG: ${tags}" | |
# build a JSON formatted list of all the supported releases for crossplane/crossplane | |
supported_releases=$(echo $supported_releases | jq -R .| jq -s -c '.[] | split(" ")') | |
## build a map of all the supported releases and their latest tags for later usage | |
versions=$(echo $tags | jq -R .| jq -s -c '.[] | split(" ") | [.[] | select(length > 0) | [split("=")] | map({key: .[0], value: .[1]}) | .[] ] | from_entries' ) | |
# store everything as outputs | |
echo "versions=${versions}" >> $GITHUB_OUTPUT | |
echo "supported_releases=${supported_releases}" >> $GITHUB_OUTPUT | |
echo "DEBUG: GITHUB_OUTPUT:" | |
cat $GITHUB_OUTPUT | |
check-matrix: | |
# this job is just to check the matrix definition is valid and helps debugging it if not valid | |
runs-on: ubuntu-latest | |
needs: | |
- generate-matrix | |
steps: | |
- name: Check Matrix Definition | |
shell: bash | |
run: | | |
supported_releases='${{ needs.generate-matrix.outputs.supported_releases }}' | |
echo $supported_releases | |
echo $supported_releases | jq . | |
scan: | |
permissions: | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
needs: | |
- check-matrix | |
- generate-matrix | |
strategy: | |
fail-fast: false | |
matrix: | |
release: ${{ fromJSON(needs.generate-matrix.outputs.supported_releases) }} | |
image: | |
- crossplane/crossplane | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get Release Tag | |
run: | | |
echo "${{ matrix.release }}" | |
tag="$(echo '${{ needs.generate-matrix.outputs.versions }}' | jq --raw-output ".[\"${{ matrix.release }}\"]")" | |
echo "tag=${tag}" >> $GITHUB_ENV | |
echo "escaped_filename=$(echo ${{ matrix.image }}/$tag | sed 's/[\/.:]/_/g')" >> $GITHUB_ENV | |
# we log to DockerHub to avoid rate limiting | |
- name: Login To DockerHub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
if: env.DOCKER_USR != '' | |
with: | |
username: ${{ secrets.DOCKER_USR }} | |
password: ${{ secrets.DOCKER_PSW }} | |
# we pull the image to be sure we're scanning the latest sha available | |
- name: Pull Latest Image | |
run: docker pull ${{ matrix.image }}:${{ env.tag }} | |
- name: Run Trivy Vulnerability Scanner | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
with: | |
image-ref: ${{ matrix.image }}:${{ env.tag }} | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
- name: Upload Artifact | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4 | |
with: | |
name: trivy-${{ env.escaped_filename }}.sarif | |
path: trivy-results.sarif | |
retention-days: 3 | |
- name: Upload Trivy Scan Results To GitHub Security Tab | |
uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
category: ${{ matrix.image }}:${{ env.tag }} | |