Skip to content

skip: use merge for merging json artefacts #1

skip: use merge for merging json artefacts

skip: use merge for merging json artefacts #1

name: Get images, scan them, and report vulnerabilities
on:
workflow_call:
inputs:
bundle-path:
description: The bundle path on which the vulnerability scan will be executed
required: true
type: string
scans-out-dir:
description: The directory to store all vulnerability reports
required: false
type: string
default: "/tmp/trivy-reports"
jobs:
get-images:
name: Get images
runs-on: ubuntu-22.04
outputs:
images-array: ${{ steps.set-images-array.outputs.images-array }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run get-all-images.py
run: |
pip3 install -r scripts/requirements.txt
python3 scripts/get-all-images.py releases/${{ inputs.bundle-path }}/bundle.yaml > /tmp/images_list.txt
- name: Generate an array of images
id: set-images-array
run: |
# Output the images as an array that can be used in the matrix strategy for the scan images job
# This array contains all the images from /tmp/image_list.txt
sudo snap install jq
IMAGES=$(cat /tmp/images_list.txt | jq -R -s -c 'split("\n")[:-1]')
echo "images-array=$IMAGES" >> $GITHUB_OUTPUT
scan-images-upload-individual-reports:
name: Run vulnerability scans and upload reports
runs-on: ubuntu-22.04
needs: get-images
outputs:
release-track: ${{ steps.release-track.outputs.release-track }}
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.get-images.outputs.images-array) }}
steps:
- name: Generate release track
id: release-track
run: |
RELEASE_TRACK=$(echo ${{ inputs.bundle-path }} | sed 's/\//-/g')
echo "release-track=$RELEASE_TRACK" >> $GITHUB_OUTPUT
- name: Generate report path
id: report-path
run: |
FILENAME=$(echo ${{ matrix.image }} | sed 's/:/-/g; s/\//-/g; s/\./-/g')
PATH="${{ steps.release-track.outputs.release-track}}-${FILENAME}.json"
echo "report-path=$PATH" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
# Workaround for https://github.com/aquasecurity/trivy-action/issues/389
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
with:
image-ref: ${{ matrix.image }}
scan-type: image
output: '${{ steps.report-path.outputs.report-path }}'
format: 'json'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
# NOTE: pebble is flagged with a HIGH vuln because of golang.org/x/crypto
# CVE-2021-43565, CVE-2022-27191
skip-files: '/bin/pebble,/usr/bin/pebble,usr/bin/pebble,bin/pebble'
- name: Upload Trivy reports
uses: actions/upload-artifact@v4
with:
name: ${{ steps.report-path.outputs.report-path }}
path: ${{ steps.report-path.outputs.report-path }}
- name: Print vulnerability report
run: cat ${{ steps.report-path.outputs.report-path }}
generate-and-upload-summary:
name: Generate and upload summary of vulnerability reports
runs-on: ubuntu-22.04
needs: scan-images-upload-individual-reports
# This always() is required as we always want to generate and upload summaries even
# if the previous job had one or more failures.
if: always()
strategy:
fail-fast: false
steps:
- name: Make directory to temporarily store scans
run: |
mkdir -p ${{ inputs.scans-out-dir}}-${{ needs.scan-images-upload-individual-reports.outputs.release-track }}/
- name: Download all artefacts
uses: actions/download-artifact@v4
with:
path: ${{ inputs.scans-out-dir}}-${{ needs.scan-images-upload-individual-reports.outputs.release-track }}/
pattern: ${{ needs.scan-images-upload-individual-reports.outputs.release-track }}*.json
merge-multiple: true
- name: Clone canonical/kubeflow-ci
uses: actions/checkout@v4
with:
repository: canonical/kubeflow-ci.git
sparse-checkout: scripts/images/
ref: main
path: kubeflow-ci
- name: Generate summary of reports
run: |
export date=$(date '+%Y-%m-%d-%H-%M-%S')
./kubeflow-ci/scripts/images/get-summary.py --report-path ${{ inputs.scans-out-dir }}-${{ needs.scan-images-upload-individual-reports.outputs.release-track }}/ --print-header > /tmp/scan-summary-${date}-${{ needs.scan-images-upload-individual-reports.outputs.release-track }}.csv
- name: Upload summary report
uses: actions/upload-artifact@v4
with:
name: summary-trivy-report-${{ needs.scan-images-upload-individual-reports.outputs.release-track }}
path: /tmp/scan-summary-*.csv
retention-days: 90
- name: Upload individual reports
uses: actions/upload-artifact/merge@v4
with:
name: ${{ needs.scan-images-upload-individual-reports.outputs.release-track }}-individual-reports
pattern: *.json

Check failure on line 136 in .github/workflows/get-images-and-scan.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/get-images-and-scan.yaml

Invalid workflow file

You have an error in your yaml syntax on line 136
retention-days: 90