Add verify-govulncheck and verify-vulnerabilities targets and integra…

…te to scan action

.github/workflows/weekly-image-scan.yaml → .github/workflows/weekly-security-scan.yaml

@@ -1,4 +1,4 @@
-name: Weekly image scan
+name: Weekly security scan
 
 on:
   schedule:
@@ -28,5 +28,5 @@ jobs:
       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # tag=v4.0.1
       with:
         go-version: ${{ steps.vars.outputs.go_version }}
-    - name: Run verify container script
-      run: make verify-container-images
+    - name: Run verify security target
+      run: make verify-security

Makefile

@@ -164,6 +164,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/pr-golangci-lint.yaml | grep
 GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
 GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint
 
+GOVULNCHECK_BIN := govulncheck
+GOVULNCHECK_VER := v1.0.0
+GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER))
+GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck
+
 CONVERSION_VERIFIER_BIN := conversion-verifier
 CONVERSION_VERIFIER := $(abspath $(TOOLS_BIN_DIR)/$(CONVERSION_VERIFIER_BIN))
 
@@ -653,6 +658,20 @@ verify-tiltfile: ## Verify Tiltfile format
 verify-container-images: ## Verify container images
 	TRACE=$(TRACE) ./hack/verify-container-images.sh
 
+.PHONY: verify-govulncheck
+verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
+	$(GOVULNCHECK) ./... && R1=$$? || R1=$$?; \
+	$(GOVULNCHECK) -C "$(TOOLS_DIR)" ./... && R2=$$? || R2=$$?; \
+	$(GOVULNCHECK) -C "$(TEST_DIR)" ./... && R3=$$? || R3=$$?; \
+	if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ] || [ "$$R3" -ne "0" ]; then \
+		exit 1; \
+	fi
+
+
+.PHONY: verify-security
+verify-security: ## Verify code and images for vulnerabilities
+	TRACE=$(TRACE) ./hack/verify-security.sh
+
 ## --------------------------------------
 ## Binaries
 ## --------------------------------------
@@ -1249,6 +1268,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo.
 .PHONY: $(GOLANGCI_LINT_BIN)
 $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint.
 
+.PHONY: $(GOVULNCHECK_BIN)
+$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck.
+
 $(CONTROLLER_GEN): # Build controller-gen from tools folder.
 	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER)
 
@@ -1300,6 +1322,9 @@ $(GINKGO): # Build ginkgo from tools folder.
 $(GOLANGCI_LINT): # Build golangci-lint from tools folder.
 	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)
 
+$(GOVULNCHECK): # Build govulncheck.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)
+
 ## --------------------------------------
 ## Helpers
 ## --------------------------------------

docs/release/release-tasks.md

@@ -11,45 +11,46 @@ This document details the responsibilities and tasks for each role in the releas
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
-- [Release Lead](#release-lead)
-  - [Responsibilities](#responsibilities)
-  - [Tasks](#tasks)
-    - [Set a tentative release date for the minor release](#set-a-tentative-release-date-for-the-minor-release)
-    - [Assemble release team](#assemble-release-team)
-    - [Finalize release schedule and team](#finalize-release-schedule-and-team)
-    - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release)
-    - [Create a new GitHub milestone for the next release](#create-a-new-github-milestone-for-the-next-release)
-    - [[Track] Remove previously deprecated code](#track-remove-previously-deprecated-code)
-    - [[Track] Bump dependencies](#track-bump-dependencies)
-    - [Create a release branch](#create-a-release-branch)
-    - [[Continuously] Maintain the GitHub release milestone](#continuously-maintain-the-github-release-milestone)
-    - [[Continuously] Bump the Go version](#continuously-bump-the-go-version)
-    - [[Repeatedly] Cut a release](#repeatedly-cut-a-release)
-    - [[Optional] [Track] Bump the Cluster API apiVersion](#optional-track-bump-the-cluster-api-apiversion)
-    - [[Optional] [Track] Bump the Kubernetes version](#optional-track-bump-the-kubernetes-version)
-- [Communications/Docs/Release Notes Manager](#communicationsdocsrelease-notes-manager)
-  - [Responsibilities](#responsibilities-1)
-  - [Tasks](#tasks-1)
-    - [Add docs to collect release notes for users and migration notes for provider implementers](#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers)
-    - [Update supported versions](#update-supported-versions)
-    - [Ensure the book for the new release is available](#ensure-the-book-for-the-new-release-is-available)
-    - [Polish release notes](#polish-release-notes)
-    - [Change production branch in Netlify to the new release branch](#change-production-branch-in-netlify-to-the-new-release-branch)
-    - [Update clusterctl links in the quickstart](#update-clusterctl-links-in-the-quickstart)
-    - [Continuously: Communicate key dates to the community](#continuously-communicate-key-dates-to-the-community)
-    - [Communicate beta to providers](#communicate-beta-to-providers)
-- [CI Signal/Bug Triage/Automation Manager](#ci-signalbug-triageautomation-manager)
-  - [Responsibilities](#responsibilities-2)
-  - [Tasks](#tasks-2)
-    - [Setup jobs and dashboards for a new release branch](#setup-jobs-and-dashboards-for-a-new-release-branch)
-    - [[Continuously] Monitor CI signal](#continuously-monitor-ci-signal)
-    - [[Continuously] Reduce the amount of flaky tests](#continuously-reduce-the-amount-of-flaky-tests)
-    - [[Continuously] Bug triage](#continuously-bug-triage)
-- [Maintainer](#maintainer)
-  - [Responsibilities](#responsibilities-3)
-  - [Tasks](#tasks-3)
-    - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release-1)
-    - [[Repeatedly] Cut a release](#repeatedly-cut-a-release-1)
+- [Release Tasks](#release-tasks)
+  - [Release Lead](#release-lead)
+    - [Responsibilities](#responsibilities)
+    - [Tasks](#tasks)
+      - [Set a tentative release date for the minor release](#set-a-tentative-release-date-for-the-minor-release)
+      - [Assemble release team](#assemble-release-team)
+      - [Finalize release schedule and team](#finalize-release-schedule-and-team)
+      - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release)
+      - [Create a new GitHub milestone for the next release](#create-a-new-github-milestone-for-the-next-release)
+      - [\[Track\] Remove previously deprecated code](#track-remove-previously-deprecated-code)
+      - [\[Track\] Bump dependencies](#track-bump-dependencies)
+      - [Create a release branch](#create-a-release-branch)
+      - [\[Continuously\] Maintain the GitHub release milestone](#continuously-maintain-the-github-release-milestone)
+      - [\[Continuously\] Bump the Go version](#continuously-bump-the-go-version)
+      - [\[Repeatedly\] Cut a release](#repeatedly-cut-a-release)
+      - [\[Optional\] \[Track\] Bump the Cluster API apiVersion](#optional-track-bump-the-cluster-api-apiversion)
+      - [\[Optional\] \[Track\] Bump the Kubernetes version](#optional-track-bump-the-kubernetes-version)
+  - [Communications/Docs/Release Notes Manager](#communicationsdocsrelease-notes-manager)
+    - [Responsibilities](#responsibilities-1)
+    - [Tasks](#tasks-1)
+      - [Add docs to collect release notes for users and migration notes for provider implementers](#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers)
+      - [Update supported versions](#update-supported-versions)
+      - [Ensure the book for the new release is available](#ensure-the-book-for-the-new-release-is-available)
+      - [Polish release notes](#polish-release-notes)
+      - [Change production branch in Netlify to the new release branch](#change-production-branch-in-netlify-to-the-new-release-branch)
+      - [Update clusterctl links in the quickstart](#update-clusterctl-links-in-the-quickstart)
+      - [Continuously: Communicate key dates to the community](#continuously-communicate-key-dates-to-the-community)
+      - [Communicate beta to providers](#communicate-beta-to-providers)
+  - [CI Signal/Bug Triage/Automation Manager](#ci-signalbug-triageautomation-manager)
+    - [Responsibilities](#responsibilities-2)
+    - [Tasks](#tasks-2)
+      - [Setup jobs and dashboards for a new release branch](#setup-jobs-and-dashboards-for-a-new-release-branch)
+      - [\[Continuously\] Monitor CI signal](#continuously-monitor-ci-signal)
+      - [\[Continuously\] Reduce the amount of flaky tests](#continuously-reduce-the-amount-of-flaky-tests)
+      - [\[Continuously\] Bug triage](#continuously-bug-triage)
+  - [Maintainer](#maintainer)
+    - [Responsibilities](#responsibilities-3)
+    - [Tasks](#tasks-3)
+      - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release-1)
+      - [\[Repeatedly\] Cut a release](#repeatedly-cut-a-release-1)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -426,7 +427,7 @@ While we add test coverage for the new release branch we will also drop the test
 3. Remove tests for old release branches according to our policy documented in [Support and guarantees](../../CONTRIBUTING.md#support-and-guarantees)
    For example, let's assume we just created tests for v1.4, then we can now drop test coverage for the release-1.1 branch.
 4. Verify the jobs and dashboards a day later by taking a look at: `https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api-1.4`
-5. Update `.github/workflows/weekly-image-scan.yaml` - to setup Trivy scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches.
+5. Update `.github/workflows/weekly-security-scan.yaml` - to setup Trivy scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches.
 
 
 Prior art:

hack/verify-security.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Copyright 2023 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [[ "${TRACE-0}" == "1" ]]; then
+    set -o xtrace
+fi
+
+# Scan the images
+make verify-container-images && R1=$? || R1=$?
+make verify-govulncheck && R2=$? || R2=$?
+
+echo ""
+BRed='\033[1;31m'
+BGreen='\033[1;32m'
+NC='\033[0m' # No
+
+if [ "$R1" -ne "0" ] || [ "$R2" -ne "0" ]
+then
+  echo -e "${BRed}Check for vulnerabilities failed! There are vulnerability to be fixed${NC}"
+  exit 1
+fi
+
+echo -e "${BGreen}Check for vulnerabilities passed! No vulnerability found${NC}"