diff --git a/.github/workflows/weekly-image-scan.yaml b/.github/workflows/weekly-security-scan.yaml similarity index 88% rename from .github/workflows/weekly-image-scan.yaml rename to .github/workflows/weekly-security-scan.yaml index cac026712a09..be7bfaf216ca 100644 --- a/.github/workflows/weekly-image-scan.yaml +++ b/.github/workflows/weekly-security-scan.yaml @@ -1,4 +1,4 @@ -name: Weekly image scan +name: Weekly security scan on: schedule: @@ -28,5 +28,5 @@ jobs: uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # tag=v4.0.1 with: go-version: ${{ steps.vars.outputs.go_version }} - - name: Run verify container script - run: make verify-container-images + - name: Run verify security target + run: make verify-security diff --git a/Makefile b/Makefile index 5c3833881748..2e385fbe939e 100644 --- a/Makefile +++ b/Makefile @@ -164,6 +164,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/pr-golangci-lint.yaml | grep GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)) GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint +GOVULNCHECK_BIN := govulncheck +GOVULNCHECK_VER := v1.0.0 +GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER)) +GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck + CONVERSION_VERIFIER_BIN := conversion-verifier CONVERSION_VERIFIER := $(abspath $(TOOLS_BIN_DIR)/$(CONVERSION_VERIFIER_BIN)) @@ -654,6 +659,24 @@ verify-tiltfile: ## Verify Tiltfile format verify-container-images: ## Verify container images TRACE=$(TRACE) ./hack/verify-container-images.sh +.PHONY: verify-govulncheck +verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities + $(GOVULNCHECK) ./... && R1=$$? || R1=$$?; \ + $(GOVULNCHECK) -C "$(TOOLS_DIR)" ./... && R2=$$? || R2=$$?; \ + $(GOVULNCHECK) -C "$(TEST_DIR)" ./... && R3=$$? || R3=$$?; \ + if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ] || [ "$$R3" -ne "0" ]; then \ + exit 1; \ + fi + +.PHONY: verify-security +verify-security: ## Verify code and images for vulnerabilities + $(MAKE) verify-container-images && R1=$$? || R1=$$?; \ + $(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \ + if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \ + echo "Check for vulnerabilities failed! There are vulnerabilities to be fixed"; \ + exit 1; \ + fi + ## -------------------------------------- ## Binaries ## -------------------------------------- @@ -1250,6 +1273,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo. .PHONY: $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint. +.PHONY: $(GOVULNCHECK_BIN) +$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck. + $(CONTROLLER_GEN): # Build controller-gen from tools folder. GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER) @@ -1301,6 +1327,9 @@ $(GINKGO): # Build ginkgo from tools folder. $(GOLANGCI_LINT): # Build golangci-lint from tools folder. GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER) +$(GOVULNCHECK): # Build govulncheck. + GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER) + ## -------------------------------------- ## Helpers ## -------------------------------------- diff --git a/docs/release/release-tasks.md b/docs/release/release-tasks.md index af9c0e6d4093..03dd85baea7e 100644 --- a/docs/release/release-tasks.md +++ b/docs/release/release-tasks.md @@ -426,7 +426,7 @@ While we add test coverage for the new release branch we will also drop the test 3. Remove tests for old release branches according to our policy documented in [Support and guarantees](../../CONTRIBUTING.md#support-and-guarantees) For example, let's assume we just created tests for v1.4, then we can now drop test coverage for the release-1.1 branch. 4. Verify the jobs and dashboards a day later by taking a look at: `https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api-1.4` -5. Update `.github/workflows/weekly-image-scan.yaml` - to setup Trivy scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches. +5. Update `.github/workflows/weekly-security-scan.yaml` - to setup Trivy and govulncheck scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches. Prior art: diff --git a/hack/verify-container-images.sh b/hack/verify-container-images.sh index 5d8977a7e9b0..496e03faaeeb 100755 --- a/hack/verify-container-images.sh +++ b/hack/verify-container-images.sh @@ -72,7 +72,7 @@ NC='\033[0m' # No if [ "$R1" -ne "0" ] || [ "$R2" -ne "0" ] || [ "$R3" -ne "0" ] || [ "$R4" -ne "0" ] || [ "$R5" -ne "0" ] || [ "$R6" -ne "0" ] then - echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}" + echo -e "${BRed}Check container images failed! There are vulnerabilities to be fixed${NC}" exit 1 fi