Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add re-usable workflow for scans from published img and automatic… #73

Merged
merged 4 commits into from
Oct 15, 2024
Merged

ci: add re-usable workflow for scans from published img and automatic… #73

merged 4 commits into from
Oct 15, 2024

Conversation

DnPlas
Copy link
Contributor

@DnPlas DnPlas commented Oct 9, 2024
edited
Loading

This commit adds get-published-images-scan-and-report.yaml, a re-usable workflow that enables repositories to scan images from a public registry (in the case of the Analytics team it defaults to charmedkubeflow) and reports back the security vulnerabilities as Github issues.
This workflow is intended to be used on demand (using a workflow dispatch) and on schedule, as it will be used for continuous testing of the published images a rock repository generates.

Part of #69

For reviewers

This workflow has been tested in this fork, specifically here.

In general, we'd expect rock repositories to have exactly the same workflow for scheduled and on demand scans:.

name: Scan images

on:  
  schedule:
    - cron: '00 23 * * *' # <-- run every day at 23:00
  workflow_dispatch: # <-- also allow to run on demand

jobs:

  on-push:
    name: Get rocks modified and build-scan-test-publish them
    uses: canonical/charmed-kubeflow-workflows/.github/workflows/get-published-images-scan-and-report.yaml@main
    strategy:
      matrix:
        branch: [main, track/1.8] # <-- select the branches to scan for this repository
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }} # <-- required to create and edit GH issues
    with:
      report-vulnerabilities: true # <-- required to enable the automatic reports
      severity: "HIGH,CRITICAL" # <-- the severity of vulnerabilities to report
      branch: ${{ matrix.branch }}

@DnPlas
ci: add re-usable workflow for scans from published img and automatic…
9fd484b 
… reports

This commit adds get-published-images-scan-and-report.yaml, a re-usable workflow
that enables repositories to scan images from a public registry (in the case
of the Analytics team it defaults to charmedkubeflow) and reports back
the security vulnerabilities as Github issues.
This workflow is intended to be used on demand (using a workflow dispatch)
and on schedule, as it will be used for continuous testing of the published
images a rock repository generates.

Part of #69
@DnPlas DnPlas requested a review from a team as a code owner October 9, 2024 02:09
This was referenced Oct 9, 2024
Merged
Closed
orfeas-k
orfeas-k reviewed Oct 10, 2024
View reviewed changes
Copy link
Contributor

@orfeas-k orfeas-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job @DnPlas, left some comments:)

.github/workflows/get-published-images-scan-and-report.yaml Outdated Show resolved Hide resolved
.github/workflows/get-published-image-names.yaml Outdated Show resolved Hide resolved
.github/workflows/get-published-image-names.yaml Outdated Show resolved Hide resolved
.github/workflows/get-published-image-names.yaml Outdated Show resolved Hide resolved
.github/workflows/get-published-image-names.yaml Outdated Show resolved Hide resolved
.github/workflows/scan-from-dockerhub-report-issue.yaml Outdated Show resolved Hide resolved
.github/workflows/scan-from-published-image.yaml Show resolved Hide resolved
.github/workflows/scan-from-published-image.yaml Show resolved Hide resolved
.github/workflows/scan-from-published-image.yaml Outdated Show resolved Hide resolved
.github/workflows/scan-from-published-image.yaml Show resolved Hide resolved
@DnPlas DnPlas force-pushed the KF-6331-add-reusable-workflow-for-scan-images branch from b2f1e34 to 075ce4b Compare October 10, 2024 17:05
orfeas-k
orfeas-k reviewed Oct 11, 2024
View reviewed changes
Copy link
Contributor

@orfeas-k orfeas-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some last comments, good job with the refactoring

.github/workflows/scan-from-published-image.yaml Show resolved Hide resolved
.github/workflows/scan-from-dockerhub-report-issue.yaml Show resolved Hide resolved
.github/workflows/scan-from-published-image.yaml Show resolved Hide resolved
.github/workflows/scan-from-published-image.yaml Show resolved Hide resolved
@DnPlas DnPlas mentioned this pull request Oct 14, 2024
Open
@DnPlas DnPlas mentioned this pull request Oct 15, 2024
Open
@DnPlas DnPlas merged commit ade2a28 into KF-6331-dev-branch Oct 15, 2024
@DnPlas DnPlas deleted the KF-6331-add-reusable-workflow-for-scan-images branch October 15, 2024 09:16
@DnPlas DnPlas mentioned this pull request Oct 15, 2024
Merged
DnPlas added a commit that referenced this pull request Oct 15, 2024
@DnPlas
Merge pull request #80 from canonical/KF-6331-dev-branch
9b40143 
feat: report vulnerabilities as GH issues and scan images from registry 

This commit adds:

* ci: add re-usable workflow for scans from published img and automatic… (ci: add re-usable workflow for scans from published img and automatic… #73)
* ci: add workflow to enable automatic vulnerability reports (ci: add workflow to enable automatic vulnerability reports #72)
* chore, ci: bump artifact download/upload and checkout actions v3 -> v4 (chore, ci: bump artifact download/upload and checkout actions v3 -> v4 #71)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orfeas-k orfeas-k orfeas-k approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DnPlas @orfeas-k