Merge pull request #8776 from strongjz/ci-unit-test

Trivy Image Scanning

.github/workflows/vulnerability-scans.yaml

@@ -0,0 +1,92 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  release:
+  schedule:
+    - cron: '00 9 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  version:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.version.outputs.TAGS }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          fetch-depth: 0
+
+      - name: Latest Tag
+        id: version
+        shell: bash
+        run: |
+          readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')"
+          FULL_TAGS=(${TAGS_ARRAY[0]} ${TAGS_ARRAY[1]} ${TAGS_ARRAY[2]})
+          SHORT_TAGS=()
+          for i in ${FULL_TAGS[@]}
+          do
+            echo "tag: $i"
+            short=$(echo "$i" | cut -d - -f 2)
+            SHORT_TAGS+=($short)
+          done
+          echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}"
+          TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]"
+          echo "${TAGS_JSON}"
+          echo "::set-output name=TAGS::${TAGS_JSON}"
+
+  scan:
+    runs-on: ubuntu-latest
+    needs:     version
+    strategy:
+      matrix:
+        versions: ${{ fromJSON(needs.version.outputs.versions) }}
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+
+    - shell: bash
+      id: test
+      run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
+
+    - name: Scan image with AquaSec/Trivy
+      id: scan
+      uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20 #v0.5.1
+      with:
+        image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
+        format: 'sarif'
+        output: trivy-results-${{ matrix.versions }}.sarif
+        exit-code: 0
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
+    - name: Output Sarif File
+      shell: bash
+      run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+    # This step checks out a copy of your repository.
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03
+      with:
+        token: ${{ github.token }}
+        # Path to SARIF file relative to the root of the repository
+        sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+    - name: Vulz Count
+      shell: bash
+      run: |
+        TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
+        echo "TRIVY_COUNT: $TRIVY_COUNT"
+        echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
+        echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY