forked from karmada-io/karmada
-
Notifications
You must be signed in to change notification settings - Fork 0
67 lines (67 loc) · 2.28 KB
/
ci-image-scanning.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: image-scanning
on:
push:
# Exclude branches created by Dependabot to avoid triggering current workflow
# for PRs initiated by Dependabot.
branches-ignore:
- 'dependabot/**'
permissions:
contents: read
jobs:
use-trivy-to-scan-image:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: image-scanning
if: ${{ github.repository == 'karmada-io/karmada' }}
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
target:
- karmada-controller-manager
- karmada-scheduler
- karmada-descheduler
- karmada-webhook
- karmada-agent
- karmada-scheduler-estimator
- karmada-interpreter-webhook-example
- karmada-aggregated-apiserver
- karmada-search
- karmada-operator
- karmada-metrics-adapter
steps:
- name: checkout code
uses: actions/checkout@v4
- name: install Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build an image from Dockerfile
run: |
export VERSION="latest"
export REGISTRY="docker.io/karmada"
make image-${{ matrix.target }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0
env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
format: 'sarif'
ignore-unfixed: true
vuln-type: 'os,library'
output: 'trivy-results.sarif'
- name: display scan results
uses: aquasecurity/trivy-action@0.28.0
env:
TRIVY_SKIP_DB_UPDATE: true # Avoid updating the vulnerability db as it was cached in the previous step.
with:
image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
format: 'table'
ignore-unfixed: true
vuln-type: 'os,library'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'