From 13639b5ad7fea7c46e67dfd384af6c3c04b03c2c Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 1 Aug 2022 09:05:26 -0400 Subject: [PATCH 1/9] add scanning to CI Signed-off-by: James Strong --- .github/workflows/vulnerability-scans.yaml | 82 ++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/vulnerability-scans.yaml diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml new file mode 100644 index 0000000000..f7130b9805 --- /dev/null +++ b/.github/workflows/vulnerability-scans.yaml @@ -0,0 +1,82 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Vulnerability Scan + +on: + workflow_dispatch: + release: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '00 9 * * 1' + +permissions: + contents: read + +jobs: + + version: + runs-on: ubuntu-latest + outputs: + versions: ${{ steps.version.outputs.TAGS }} + steps: + - name: Checkout code + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + with: + fetch-depth: 0 + + - name: Latest Tag + id: version + shell: bash + run: | + readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')" + echo "${TAGS_ARRAY[0]},${TAGS_ARRAY[1]},${TAGS_ARRAY[2]}" + TAGS_JSON="[\"${TAGS_ARRAY[0]}\",\"${TAGS_ARRAY[1]}\",\"${TAGS_ARRAY[2]}\"]" + echo "${TAGS_JSON}" + echo "::set-output name=TAGS::${TAGS_JSON}" + + scan: + runs-on: ubuntu-latest + needs: version + strategy: + matrix: + versions: ${{ fromJSON(needs.version.outputs.versions) }} + steps: + + - shell: bash + id: test + run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" + + - name: Scan image with AquaSec/Trivy + id: scan + if: inputs.RUN_TRIVY == 'true' + uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20 #v0.5.1 + with: + image-ref: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }} + format: 'sarif' + output: trivy-results-${{ matrix.versions }}.sarif + exit-code: 0 + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + + # This step checks out a copy of your repository. + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: trivy-results-${{ matrix.versions }}.sarif + + - name: Image Vulnerability scan output + env: + TRIVY_COUNT: ${{ steps.trivy-scan.outputs.TRIVY_COUNT }} + run: | + echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY + echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY From 069ac3a0d64f44b3206f2a3745c6a518284a1153 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 8 Aug 2022 15:40:06 -0700 Subject: [PATCH 2/9] remove var Signed-off-by: James Strong --- .github/workflows/vulnerability-scans.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index f7130b9805..3bba363daa 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -55,7 +55,6 @@ jobs: - name: Scan image with AquaSec/Trivy id: scan - if: inputs.RUN_TRIVY == 'true' uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20 #v0.5.1 with: image-ref: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }} From 932320cf44ee4fba253f041f70083eaca558a9d2 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 8 Aug 2022 16:01:27 -0700 Subject: [PATCH 3/9] need short tags Signed-off-by: James Strong --- .github/workflows/vulnerability-scans.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 3bba363daa..ee4a5b1456 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -36,8 +36,16 @@ jobs: shell: bash run: | readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')" - echo "${TAGS_ARRAY[0]},${TAGS_ARRAY[1]},${TAGS_ARRAY[2]}" - TAGS_JSON="[\"${TAGS_ARRAY[0]}\",\"${TAGS_ARRAY[1]}\",\"${TAGS_ARRAY[2]}\"]" + FULL_TAGS=(${TAGS_ARRAY[0]} ${TAGS_ARRAY[1]} ${TAGS_ARRAY[2]}) + SHORT_TAGS=() + for i in ${FULL_TAGS[@]} + do + echo "tag: $i" + short=$(echo "$i" | cut -d - -f 2) + SHORT_TAGS+=($short) + done + echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}" + TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]" echo "${TAGS_JSON}" echo "::set-output name=TAGS::${TAGS_JSON}" @@ -57,7 +65,7 @@ jobs: id: scan uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20 #v0.5.1 with: - image-ref: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }} + image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' output: trivy-results-${{ matrix.versions }}.sarif exit-code: 0 From ebb83086540f35c453dd53ee8ac95a00a883df91 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 8 Aug 2022 16:17:24 -0700 Subject: [PATCH 4/9] it seems sarif upload needs git information Signed-off-by: James Strong --- .github/workflows/vulnerability-scans.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index ee4a5b1456..8e588a6d69 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -72,6 +72,9 @@ jobs: vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + - name: Checkout code + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + # This step checks out a copy of your repository. - name: Upload SARIF file uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03 @@ -79,10 +82,11 @@ jobs: # Path to SARIF file relative to the root of the repository sarif_file: trivy-results-${{ matrix.versions }}.sarif - - name: Image Vulnerability scan output - env: - TRIVY_COUNT: ${{ steps.trivy-scan.outputs.TRIVY_COUNT }} + - name: Vulz Count + shell: bash run: | + TRIVY_COUNT=$(cat trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length') + echo "TRIVY_COUNT: $TRIVY_COUNT" echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY From 9162fe0aa82996ca0e4988833c0d3d5626123e03 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 8 Aug 2022 16:39:32 -0700 Subject: [PATCH 5/9] fix permissions Signed-off-by: James Strong --- .github/workflows/vulnerability-scans.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 8e588a6d69..2f3374265d 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -18,9 +18,9 @@ on: permissions: contents: read + security-events: write jobs: - version: runs-on: ubuntu-latest outputs: @@ -56,7 +56,6 @@ jobs: matrix: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - - shell: bash id: test run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" From e55a84e8a031fe665e2aecac57ac4668b7debf21 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 8 Aug 2022 16:40:30 -0700 Subject: [PATCH 6/9] testing output of sarif file Signed-off-by: James Strong --- .github/workflows/vulnerability-scans.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 2f3374265d..bcf6921a5b 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -71,6 +71,10 @@ jobs: vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + - name: Output Sarif File + shell: bash + run: cat trivy-results-${{ matrix.versions }}.sarif + - name: Checkout code uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b From 1d2fa93856ac89ffeee621ec0b8228cb49b93396 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 8 Aug 2022 17:04:59 -0700 Subject: [PATCH 7/9] sarif upload issues Signed-off-by: James Strong --- .github/workflows/vulnerability-scans.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index bcf6921a5b..3321e18513 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -56,6 +56,9 @@ jobs: matrix: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: + - name: Checkout code + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + - shell: bash id: test run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" @@ -66,29 +69,27 @@ jobs: with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' - output: trivy-results-${{ matrix.versions }}.sarif + output: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif exit-code: 0 vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' - name: Output Sarif File shell: bash - run: cat trivy-results-${{ matrix.versions }}.sarif - - - name: Checkout code - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif # This step checks out a copy of your repository. - name: Upload SARIF file uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03 with: + token: ${{ github.token }} # Path to SARIF file relative to the root of the repository - sarif_file: trivy-results-${{ matrix.versions }}.sarif + sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif - name: Vulz Count shell: bash run: | - TRIVY_COUNT=$(cat trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length') + TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length') echo "TRIVY_COUNT: $TRIVY_COUNT" echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY From 0c343c8a7778d7a588bfc07aff62786bb58dd97f Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 8 Aug 2022 17:08:21 -0700 Subject: [PATCH 8/9] stesting pathing --- .github/workflows/vulnerability-scans.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 3321e18513..811063bb50 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -69,7 +69,7 @@ jobs: with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' - output: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif + output: trivy-results-${{ matrix.versions }}.sarif exit-code: 0 vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' From ead3c2bc95c6852b97139d2d80bff1c4a9c565a5 Mon Sep 17 00:00:00 2001 From: James Strong Date: Mon, 8 Aug 2022 17:14:13 -0700 Subject: [PATCH 9/9] remove on pushes Signed-off-by: James Strong --- .github/workflows/vulnerability-scans.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 811063bb50..82cc99888c 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -8,11 +8,6 @@ name: Vulnerability Scan on: workflow_dispatch: release: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] schedule: - cron: '00 9 * * 1'