Skip to content

Scheduled master branch scan security vulnerabilities #317

Scheduled master branch scan security vulnerabilities

Scheduled master branch scan security vulnerabilities #317

name: Scheduled master branch scan security vulnerabilities
on:
pull_request:
branches:
- 'master'
paths-ignore:
- 'docs/**'
- 'README.md'
- 'CHANGELOG.md'
- 'PROJECT'
- 'LICENSE'
- 'mesh-worker-service/README.md'
- 'tools/README.md'
schedule:
- cron: '0 0 * * *'
permissions:
pull-requests: write
issues: write
# For Trivy uploads to Github Security tab
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
jobs:
build:
name: Scan
permissions:
pull-requests: write
issues: write
security-events: write
actions: read
contents: read
runs-on: ubuntu-latest
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
repository: ${{github.event.pull_request.head.repo.full_name}}
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up GO 1.22.7
uses: actions/setup-go@v1
with:
go-version: 1.22.7
id: go
- name: InstallKubebuilder
run: |
curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz | tar -xz -C /tmp/
sudo mv /tmp/kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder
export PATH=$PATH:/usr/local/kubebuilder/bin
- name: Install operator-sdk
run: |
RELEASE_VERSION=v1.14.0
curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/${RELEASE_VERSION}/operator-sdk_linux_amd64"
chmod +x operator-sdk_linux_amd64 && sudo mkdir -p /usr/local/bin/ && sudo mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk
- name: Set up yq
run: |
sudo wget https://github.com/mikefarah/yq/releases/download/v4.30.4/yq_linux_amd64 -O /usr/bin/yq
sudo chmod +x /usr/bin/yq
yq --help
- name: Build operator image
run: |
make generate
make helm-crds
image="function-mesh-operator:latest"
IMG=${image} make docker-build-skip-test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'function-mesh-operator:latest'
format: 'table'
exit-code: '1'
- name: Build runner images
run: |
PULSAR_IMAGE_TAG=3.2.2.6 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh
- name: Run Trivy vulnerability scanner for java
id: scan-java-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-java-runner:latest'
format: 'table'
exit-code: '0'
- name: Run Trivy vulnerability scanner for python
id: scan-python-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-python-runner:latest'
format: 'table'
exit-code: '0'
- name: Run Trivy vulnerability scanner for go
id: scan-go-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-go-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-go.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'
- name: Run Trivy vulnerability scanner for java with pulsarctl
id: scan-java-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-java-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'
- name: Run Trivy vulnerability scanner for python with pulsarctl
id: scan-python-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-python-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-python.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'
- name: Run Trivy vulnerability scanner for go with pulsarctl
id: scan-go-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-go-runner:latest'
format: 'template'
exit-code: '0'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-pulsarctl.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
category: 'Default'
- name: Upload Trivy go scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-go.sarif'
category: 'Golang'
- name: Upload Trivy pulsarctl scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-pulsarctl.sarif'
category: 'Pulsarctl'
- name: Upload Trivy python scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-python.sarif'
category: 'Python'