scan #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: scan | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '00 10 * * 3' | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: docker.io | |
| jobs: | |
| get-image-version: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| sc: ${{ steps.version.outputs.sc }} | |
| kc: ${{ steps.version.outputs.kc }} | |
| hc: ${{ steps.version.outputs.hc }} | |
| nc: ${{ steps.version.outputs.nc }} | |
| irc: ${{ steps.version.outputs.irc }} | |
| iac: ${{ steps.version.outputs.iac }} | |
| flux2: ${{ steps.version.outputs.flux2 }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Get image version | |
| id: version | |
| run: | | |
| ln -s patches-flux-v21 patches-flux | |
| source ./patches-flux/VERSION | |
| if [[ "$FLUX2_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
| FLUX2_VERSION=${FLUX2_BASE_VERSION}-${FLUX2_SUFFIX_VERSION} | |
| else | |
| FLUX2_VERSION=${FLUX2_BASE_VERSION}-wa | |
| fi | |
| if [[ "$SOURCE_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
| SOURCE_CONTROLLER_VERSION=${SOURCE_CONTROLLER_BASE_VERSION}-${SOURCE_CONTROLLER_SUFFIX_VERSION} | |
| else | |
| SOURCE_CONTROLLER_VERSION=${SOURCE_CONTROLLER_BASE_VERSION}-wa | |
| fi | |
| if [[ "$KUSTOMIZE_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
| KUSTOMIZE_CONTROLLER_VERSION=${KUSTOMIZE_CONTROLLER_BASE_VERSION}-${KUSTOMIZE_CONTROLLER_SUFFIX_VERSION} | |
| else | |
| KUSTOMIZE_CONTROLLER_VERSION=${KUSTOMIZE_CONTROLLER_BASE_VERSION}-wa | |
| fi | |
| if [[ "$HELM_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
| HELM_CONTROLLER_VERSION=${HELM_CONTROLLER_BASE_VERSION}-${HELM_CONTROLLER_SUFFIX_VERSION} | |
| else | |
| HELM_CONTROLLER_VERSION=${HELM_CONTROLLER_BASE_VERSION}-wa | |
| fi | |
| if [[ "$NOTIFICATION_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
| NOTIFICATION_CONTROLLER_VERSION=${NOTIFICATION_CONTROLLER_BASE_VERSION}-${NOTIFICATION_CONTROLLER_SUFFIX_VERSION} | |
| else | |
| NOTIFICATION_CONTROLLER_VERSION=${NOTIFICATION_CONTROLLER_BASE_VERSION}-wa | |
| fi | |
| if [[ "$IMAGE_REFLECTOR_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
| IMAGE_REFLECTOR_CONTROLLER_VERSION=${IMAGE_REFLECTOR_CONTROLLER_BASE_VERSION}-${IMAGE_REFLECTOR_CONTROLLER_SUFFIX_VERSION} | |
| else | |
| IMAGE_REFLECTOR_CONTROLLER_VERSION=${IMAGE_REFLECTOR_CONTROLLER_BASE_VERSION}-wa | |
| fi | |
| if [[ "$IMAGE_AUTOMATION_CONTROLLER_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then | |
| IMAGE_AUTOMATION_CONTROLLER_VERSION=${IMAGE_AUTOMATION_CONTROLLER_BASE_VERSION}-${IMAGE_AUTOMATION_CONTROLLER_SUFFIX_VERSION} | |
| else | |
| IMAGE_AUTOMATION_CONTROLLER_VERSION=${IMAGE_AUTOMATION_CONTROLLER_BASE_VERSION}-wa | |
| fi | |
| unlink patches-flux | |
| echo "iac=${IMAGE_AUTOMATION_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT | |
| echo "irc=${IMAGE_REFLECTOR_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT | |
| echo "nc=${NOTIFICATION_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT | |
| echo "hc=${HELM_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT | |
| echo "kc=${KUSTOMIZE_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT | |
| echo "sc=${SOURCE_CONTROLLER_VERSION}" >> $GITHUB_OUTPUT | |
| echo "flux2=${FLUX2_VERSION}" >> $GITHUB_OUTPUT | |
| scan-trivy: | |
| runs-on: ubuntu-latest | |
| needs: get-image-version | |
| steps: | |
| - name: Scan source-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/source-controller:${{ needs.get-image-version.outputs.sc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan kustomize-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/kustomize-controller:${{ needs.get-image-version.outputs.kc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan helm-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/helm-controller:${{ needs.get-image-version.outputs.hc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan notification-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/notification-controller:${{ needs.get-image-version.outputs.nc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan image-reflector-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/image-reflector-controller:${{ needs.get-image-version.outputs.irc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan image-automation-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/image-automation-controller:${{ needs.get-image-version.outputs.iac }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan flux2 image Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/flux-cli:${{ needs.get-image-version.outputs.flux2 }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| scan-docker-scout: | |
| runs-on: ubuntu-latest | |
| needs: get-image-version | |
| steps: | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/[email protected] | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Scan source-controller image | |
| uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/source-controller:${{ needs.get-image-version.outputs.sc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan kustomize-controller image | |
| uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/kustomize-controller:${{ needs.get-image-version.outputs.kc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan helm-controller image | |
| uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/helm-controller:${{ needs.get-image-version.outputs.hc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan notification-controller image | |
| uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/notification-controller:${{ needs.get-image-version.outputs.nc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan image-reflector-controller image | |
| uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/image-reflector-controller:${{ needs.get-image-version.outputs.irc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan image-automation-controller image | |
| uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/image-automation-controller:${{ needs.get-image-version.outputs.iac }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan flux2 image | |
| uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/flux-cli:${{ needs.get-image-version.outputs.flux2 }}' | |
| only-severities: critical,high | |
| exit-code: true |