Scan Antrea Docker image for vulnerabilities every day #339
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan Antrea Docker image for vulnerabilities every day | |
| on: | |
| schedule: | |
| # every day at 10am | |
| - cron: '0 10 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| if: github.repository == 'antrea-io/antrea' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Find greatest Antrea version | |
| id: find-antrea-greatest-version | |
| run: | | |
| VERSION=$(git ls-remote --tags --ref https://github.com/antrea-io/antrea.git | \ | |
| grep -v rc | \ | |
| awk '{print $2}' | awk -F/ '{print $3}' | \ | |
| sort --version-sort -r | head -n 1) | |
| echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Pull Antrea Docker images | |
| id: pull | |
| run: | | |
| docker pull antrea/antrea-ubuntu:latest | |
| docker pull antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} | |
| - name: Run Trivy vulnerability scanner on latest Antrea Docker image | |
| if: ${{ always() && steps.pull.conclusion == 'success' }} | |
| uses: aquasecurity/trivy-action@0.9.1 | |
| # we cannot use .trivy.yml as we need to override some config parameters | |
| # and that is not supported by aquasecurity/trivy-action | |
| with: | |
| scan-type: 'image' | |
| image-ref: 'antrea/antrea-ubuntu:latest' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| # whereabouts project doesn't upgrade dependencies frequently | |
| skip-files: '/opt/cni/bin/whereabouts' | |
| format: 'table' | |
| output: 'trivy.latest.txt' | |
| - name: Run Trivy vulnerability scanner on Antrea Docker image for latest released version | |
| if: ${{ always() && steps.pull.conclusion == 'success' }} | |
| uses: aquasecurity/trivy-action@0.9.1 | |
| with: | |
| scan-type: 'image' | |
| image-ref: 'antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| skip-files: '/opt/cni/bin/whereabouts' | |
| format: 'table' | |
| output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt' | |
| - name: Upload Trivy scan reports | |
| if: ${{ always() && steps.pull.conclusion == 'success' }} | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: trivy-scan-reports | |
| path: trivy.*.txt | |
| retention-days: 90 # max value | |
| skip: | |
| if: github.repository != 'antrea-io/antrea' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Skip | |
| run: | | |
| echo "Skipping image scan because workflow cannot be run from fork" |