diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml new file mode 100644 index 0000000000..82cc99888c --- /dev/null +++ b/.github/workflows/vulnerability-scans.yaml @@ -0,0 +1,92 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Vulnerability Scan + +on: + workflow_dispatch: + release: + schedule: + - cron: '00 9 * * 1' + +permissions: + contents: read + security-events: write + +jobs: + version: + runs-on: ubuntu-latest + outputs: + versions: ${{ steps.version.outputs.TAGS }} + steps: + - name: Checkout code + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + with: + fetch-depth: 0 + + - name: Latest Tag + id: version + shell: bash + run: | + readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')" + FULL_TAGS=(${TAGS_ARRAY[0]} ${TAGS_ARRAY[1]} ${TAGS_ARRAY[2]}) + SHORT_TAGS=() + for i in ${FULL_TAGS[@]} + do + echo "tag: $i" + short=$(echo "$i" | cut -d - -f 2) + SHORT_TAGS+=($short) + done + echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}" + TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]" + echo "${TAGS_JSON}" + echo "::set-output name=TAGS::${TAGS_JSON}" + + scan: + runs-on: ubuntu-latest + needs: version + strategy: + matrix: + versions: ${{ fromJSON(needs.version.outputs.versions) }} + steps: + - name: Checkout code + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + + - shell: bash + id: test + run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" + + - name: Scan image with AquaSec/Trivy + id: scan + uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20 #v0.5.1 + with: + image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} + format: 'sarif' + output: trivy-results-${{ matrix.versions }}.sarif + exit-code: 0 + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + + - name: Output Sarif File + shell: bash + run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif + + # This step checks out a copy of your repository. + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03 + with: + token: ${{ github.token }} + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif + + - name: Vulz Count + shell: bash + run: | + TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length') + echo "TRIVY_COUNT: $TRIVY_COUNT" + echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY + echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY