Add verify script and weekly GitHub workflow that run Trivy scanner o…

…n container images

.github/workflows/scan.yml

@@ -0,0 +1,48 @@
+name: scan-images
+
+on:
+  schedule:
+    - cron: "0 12 * * 4"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  scan:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+    - name: Make images
+      run: make REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent TAG=dev ARCH=amd64 docker-build
+    - name: Run Trivy vulnerability scanner on clusterctl image
+      uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # tag=v0.8.0
+      with:
+        image-ref: 'gcr.io/k8s-staging-cluster-api/clusterctl-arm64:dev'
+        format: 'table'
+        exit-code: '1'
+    - name: Run Trivy vulnerability scanner on KCP image
+      uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # tag=v0.8.0
+      with:
+        image-ref: 'gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller-arm64:dev'
+        format: 'table'
+        exit-code: '1'
+    - name: Run Trivy vulnerability scanner on CABPK image
+      uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # tag=v0.8.0
+      with:
+        image-ref: 'gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller-arm64:dev'
+        format: 'table'
+        exit-code: '1'
+    - name: Run Trivy vulnerability scanner on CAPI image
+      uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # tag=v0.8.0
+      with:
+        image-ref: 'gcr.io/k8s-staging-cluster-api/cluster-api-controller-arm64:dev'
+        format: 'table'
+        exit-code: '1'
+    - name: Run Trivy vulnerability scanner on CAPD image
+      uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # tag=v0.8.0
+      with:
+        image-ref: 'gcr.io/k8s-staging-cluster-api/capd-manager-arm64:dev'
+        format: 'table'
+        exit-code: '1'

docs/release/release-tasks.md

@@ -155,6 +155,8 @@ This can be done by:
 #### [Repeatedly] Cut a release
 
 1. Ensure CI is stable before cutting the release (e.g. by checking with the CI manager)
+   Note: special attention should be given to image scan results, so we can avoid cutting a release with CVE or document
+   known CVEs in release notes.
 2. Create and push the release tags to the GitHub repository:
    ```bash 
    # Export the tag of the release to be cut, e.g.:
@@ -384,9 +386,11 @@ The goal of this task is to keep our tests running in CI stable.
     <br\>**Note**: An alternative to the alert mailing list is manually monitoring the [testgrid dashboards](https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api)
     (also dashboards of previous releases). Using the alert mailing list has proven to be a lot less effort though.
 2. Triage CI failures reported by mail alerts or found by monitoring the testgrid dashboards:
-    1. Create an issue in the Cluster API repository to surface the CI failure.
-    2. Identify if the issue is a known issue, new issue or a regression.
+    1. Identify if the issue is a known issue, new issue or a regression.
+    2. Create an issue in the Cluster API repository to surface new issue or a regression.
     3. Mark the issue as `release-blocking` if applicable.
+3. Triage periodic GitHub actions failures, with special attention to image scan results;
+   Eventually open issues as described in the previous point.
 
 #### [Continuously] Reduce the amount of flaky tests
 

hack/verify-container-images.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# Copyright 2022 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+TRIVY_VERSION=0.34.0
+
+GO_OS="$(go env GOOS)"
+if [[ "${GO_OS}" == "linux" ]]; then
+  TRIVY_OS="Linux"
+elif [[ "${GO_OS}" == "darwin"* ]]; then
+  TRIVY_OS="macOS"
+fi
+
+GO_ARCH="$(go env GOARCH)"
+if [[ "${GO_ARCH}" == "amd" ]]; then
+  TRIVY_ARCH="32bit"
+elif [[ "${GO_ARCH}" == "amd64"* ]]; then
+  TRIVY_ARCH="64bit"
+elif [[ "${GO_ARCH}" == "arm" ]]; then
+  TRIVY_ARCH="ARM"
+elif [[ "${GO_ARCH}" == "arm64" ]]; then
+  TRIVY_ARCH="ARM64"
+fi
+
+TOOL_BIN=hack/tools/bin
+mkdir -p ${TOOL_BIN}
+
+# Downloads trivy scanner
+curl -L -o ${TOOL_BIN}/trivy.tar.gz \
+    https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz \
+
+tar xfO ${TOOL_BIN}/trivy.tar.gz trivy > ${TOOL_BIN}/trivy
+chmod +x ${TOOL_BIN}/trivy
+rm ${TOOL_BIN}/trivy.tar.gz
+
+# Builds all the container images to be scanned and cleans up changes to ./*manager_image_patch.yaml ./*manager_pull_policy.yaml.
+make REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent TAG=dev docker-build
+make clean-release-git
+
+# Scan the images
+${TOOL_BIN}/trivy image -q gcr.io/k8s-staging-cluster-api/clusterctl-${GO_ARCH}:dev
+${TOOL_BIN}/trivy image -q gcr.io/k8s-staging-cluster-api/test-extension-${GO_ARCH}:dev
+${TOOL_BIN}/trivy image -q gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller-${GO_ARCH}:dev
+${TOOL_BIN}/trivy image -q gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller-${GO_ARCH}:dev
+${TOOL_BIN}/trivy image -q gcr.io/k8s-staging-cluster-api/cluster-api-controller-${GO_ARCH}:dev
+${TOOL_BIN}/trivy image -q gcr.io/k8s-staging-cluster-api/capd-manager-${GO_ARCH}:dev