chore(ci): add workflow for scanning unicorn core for CVEs #1274
+313
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
koesbong
previously approved these changes
Feb 13, 2025
|
Going to make a few changes here:
|
So it'll run nightly and also right after a release? |
|
@koesbong correct yeah, that way a scan is never older than 24 hours, but we also have a scan immediately upon release. |
|
Updated, workflow will now run everyday + right after a release is published. The format was also updated for the markdown to be more concise and use dropdowns for each image (hiding the full CVE tables by default). Example of that can be viewed on the linked github issue or from the artifact for the most recent job here. I also added a basic task readme with an example of how to run this scan job locally. |
UnicornChance
pushed a commit
that referenced
this pull request
Feb 19, 2025
🤖 I have created a release *beep* *boop* --- ## [0.36.0](v0.35.0...v0.36.0) (2025-02-18) ### Features * introduced a new option CREATE_OPTIONS and skip SBOMs in tests ([#1268](#1268)) ([f944bf1](f944bf1)) * **k3d-slim-dev:** add Istio Proxy resource configuration ([#1270](#1270)) ([fd4fa3c](fd4fa3c)) * **k3d-slim-dev:** add resource configuration for Istiod and Keycloak ([#1279](#1279)) ([07eeea2](07eeea2)) * loki schema config management ([#1224](#1224)) ([e16fdb1](e16fdb1)) ### Bug Fixes * add Keycloak workaround for Kernels 6.12+ ([#1218](#1218)) ([bb634a6](bb634a6)) * added network restriction tests ([#1250](#1250)) ([9ef6c2b](9ef6c2b)) * always upload CVE report ([#1286](#1286)) ([e97b6b9](e97b6b9)) * image name parsing for cve scan ([#1294](#1294)) ([7f3b53b](7f3b53b)) * lint errors on unused caught errors ([#1271](#1271)) ([ccd824e](ccd824e)) ### Miscellaneous * add json schema generation ([#1264](#1264)) ([9eee462](9eee462)) * **ci:** add workflow for scanning unicorn core for CVEs ([#1274](#1274)) ([d7226be](d7226be)) * **deps:** remove keycloak registry1 flavor architecture restriction ([#1267](#1267)) ([c50b081](c50b081)) * **deps:** update grafana ([#1242](#1242)) ([73331d4](73331d4)) * **deps:** update grafana to v8.12.1 ([#1276](#1276)) ([ca60ca5](ca60ca5)) * **deps:** update istio to v1.24.3 ([#1266](#1266)) ([27acb5d](27acb5d)) * **deps:** update keycloak ([#1184](#1184)) ([71fd910](71fd910)) * **deps:** update keycloak to v0.10.1 ([#1298](#1298)) ([e552e24](e552e24)) * **deps:** update keycloak to v26.1.1 ([#1258](#1258)) ([f3a3731](f3a3731)) * **deps:** update keycloak to v26.1.2 ([#1269](#1269)) ([3301bab](3301bab)) * **deps:** update loki ([#1202](#1202)) ([79f8209](79f8209)) * **deps:** update neuvector registry1 scanner and unicorn updater ([#1261](#1261)) ([8b4ed68](8b4ed68)) * **deps:** update neuvector updater image for unicorn flavor to v8.12.1 ([#1284](#1284)) ([8c7bb17](8c7bb17)) * **deps:** update pepr to v0.45.0 ([#1252](#1252)) ([8be12db](8be12db)) * **deps:** update prometheus-stack ([#1255](#1255)) ([1a316a2](1a316a2)) * **deps:** update prometheus-stack to v68.4.4 ([#1244](#1244)) ([8053443](8053443)) * **deps:** update support-deps ([#1251](#1251)) ([30db8f0](30db8f0)) * **deps:** update support-deps ([#1260](#1260)) ([e0e2523](e0e2523)) * **deps:** update support-deps ([#1275](#1275)) ([069a201](069a201)) * **deps:** update uds-identity-config image ([#1278](#1278)) ([3325662](3325662)) * **deps:** update velero to v1.32.2 ([#1277](#1277)) ([02db070](02db070)) * switch to registry1 cni image ([#1256](#1256)) ([2b564e6](2b564e6)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This adds a new task file for scanning for CVEs as well as a workflow to run a nightly scan against the latest unicorn flavor core release.
The tasks are built to be dynamic to allow for scanning other packages/versions/flavors as needed and adjust the reporting threshold.
The workflow will specifically scan the latest release of core (unicorn flavor) and create a github issue with all High/Critical CVEs listed for triaging/fixing.
Related Issue
Fixes #1273
Closes #1162 - this will replace the need to trigger security-hub's scanning.
Type of change
Steps to Validate
This workflow was partially tested on my test repo here (run against registry1 flavor due to permissions for private packages):
Checklist before merging