add scanning to CI

Signed-off-by: James Strong <strong.james.e@gmail.com>
2022-08-01 09:05:26 -04:00 · 2022-08-01 09:05:26 -04:00 · 13639b5ad7
commit 13639b5ad7
parent 0f61d9d0dc
1 changed files with 82 additions and 0 deletions
--- a/.github/workflows/vulnerability-scans.yaml
+++ b/.github/workflows/vulnerability-scans.yaml
@ -0,0 +1,82 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  release:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '00 9 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+
+  version:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.version.outputs.TAGS }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          fetch-depth: 0
+
+      - name: Latest Tag
+        id: version
+        shell: bash
+        run: |
+          readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')"
+          echo "${TAGS_ARRAY[0]},${TAGS_ARRAY[1]},${TAGS_ARRAY[2]}"
+          TAGS_JSON="[\"${TAGS_ARRAY[0]}\",\"${TAGS_ARRAY[1]}\",\"${TAGS_ARRAY[2]}\"]"
+          echo "${TAGS_JSON}"
+          echo "::set-output name=TAGS::${TAGS_JSON}"
+
+  scan:
+    runs-on: ubuntu-latest
+    needs:     version
+    strategy:
+      matrix:
+        versions: ${{ fromJSON(needs.version.outputs.versions) }}
+    steps:
+
+    - shell: bash
+      id: test
+      run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
+
+    - name: Scan image with AquaSec/Trivy
+      id: scan
+      if: inputs.RUN_TRIVY == 'true'
+      uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20 #v0.5.1
+      with:
+        image-ref: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}
+        format: 'sarif'
+        output: trivy-results-${{ matrix.versions }}.sarif
+        exit-code: 0
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
+    # This step checks out a copy of your repository.
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03
+      with:
+        # Path to SARIF file relative to the root of the repository
+        sarif_file: trivy-results-${{ matrix.versions }}.sarif
+
+    - name: Image Vulnerability scan output
+      env:
+        TRIVY_COUNT: ${{ steps.trivy-scan.outputs.TRIVY_COUNT }}
+      run: |
+        echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
+        echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY