Refactor scanning

Signed-off-by: Stefan Prodan <[email protected]>
controlplaneio-fluxcd · Feb 3, 2024 · 5c4bdc4 · 5c4bdc4
1 parent ab118bb
commit 5c4bdc4
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 21 deletions.
diff --git a/.github/workflows/e2e-fips.yaml b/.github/workflows/e2e-fips.yaml
@@ -2,7 +2,7 @@ name: FIPS conformance tests
 on:
   workflow_dispatch:
   schedule:
-    - cron: '00 5 * * 1-5'
+    - cron: '00 6 * * 1-5'
 
 permissions:
   contents: read

diff --git a/.github/workflows/scan-fips.yaml b/.github/workflows/scan-fips.yaml
@@ -3,7 +3,7 @@ name: FIPS vulnerability scan
 on:
   workflow_dispatch:
   schedule:
-    - cron: '00 4 * * 1-5'
+    - cron: '00 5 * * 1-5'
 
 permissions:
   contents: read

diff --git a/.github/workflows/scan-upstream.yaml b/.github/workflows/scan-upstream.yaml
@@ -53,6 +53,7 @@ jobs:
       packages: read
     uses: ./.github/workflows/x-scan-controllers.yaml
     with:
+      check-scan-error: false
       sc: ${{ needs.get-controllers.outputs.sc }}
       kc: ${{ needs.get-controllers.outputs.kc }}
       hc: ${{ needs.get-controllers.outputs.hc }}

diff --git a/.github/workflows/x-release.yaml b/.github/workflows/x-release.yaml
@@ -1,4 +1,4 @@
-name: release
+name: x-release
 on:
   push:
     tags: [ 'v*' ]
@@ -64,6 +64,7 @@ jobs:
         run: |
           cosign sign --yes ${{ steps.push.outputs.img_repository }}@${{ steps.push.outputs.img_digest }}
       - name: Create release
+        shell: bash
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |

diff --git a/.github/workflows/x-scan-controllers.yaml b/.github/workflows/x-scan-controllers.yaml
@@ -1,4 +1,4 @@
-name: scan-controllers
+name: x-scan-controllers
 
 on:
   workflow_call:
@@ -27,8 +27,13 @@ on:
         description: 'image-automation-controller image'
         required: true
         type: string
-      continue-on-error:
-        description: 'continue on error'
+      severity:
+        description: 'vulnerability severity'
+        required: false
+        type: string
+        default: 'CRITICAL,HIGH,MEDIUM'
+      check-scan-error:
+        description: 'check for scan errors'
         required: false
         type: boolean
         default: true
@@ -54,96 +59,107 @@ jobs:
           password: ${{ secrets.pull-token }}
       - name: Scan source-controller
         id: sc
-        continue-on-error: ${{ inputs.continue-on-error }}
+        continue-on-error: true
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
           image-ref: ${{ inputs.sc }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: ${{ inputs.severity }}
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.pull-token }}
       - name: Scan kustomize-controller
         id: kc
-        continue-on-error: ${{ inputs.continue-on-error }}
+        continue-on-error: true
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
           image-ref: ${{ inputs.kc }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: ${{ inputs.severity }}
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.pull-token }}
       - name: Scan helm-controller
         id: hc
-        continue-on-error: ${{ inputs.continue-on-error }}
+        continue-on-error: true
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
           image-ref: ${{ inputs.hc }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: ${{ inputs.severity }}
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.pull-token }}
       - name: Scan notification-controller
         id: nc
-        continue-on-error: ${{ inputs.continue-on-error }}
+        continue-on-error: true
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
           image-ref: ${{ inputs.nc }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: ${{ inputs.severity }}
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.pull-token }}
       - name: Scan image-reflector-controller
         id: irc
-        continue-on-error: ${{ inputs.continue-on-error }}
+        continue-on-error: true
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
           image-ref: ${{ inputs.irc }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: ${{ inputs.severity }}
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.pull-token }}
       - name: Scan image-automation-controller
         id: iac
-        continue-on-error: ${{ inputs.continue-on-error }}
+        continue-on-error: true
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
         with:
           image-ref: ${{ inputs.iac }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: ${{ inputs.severity }}
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.pull-token }}
       - name: Scan result
-        if : steps.sc.outcome == 'failure' || steps.kc.outcome == 'failure' || steps.hc.outcome == 'failure' || steps.nc.outcome == 'failure' || steps.irc.outcome == 'failure' || steps.iac.outcome == 'failure'
         run: |
-          echo "One or more controllers have vulnerabilities"
           echo "source-controller: ${{ steps.sc.outcome }}"
+          echo "image: ${{ inputs.sc }}"
           echo "kustomize-controller: ${{ steps.kc.outcome }}"
+          echo "image: ${{ inputs.kc }}"
           echo "helm-controller: ${{ steps.hc.outcome }}"
+          echo "image: ${{ inputs.hc }}"
           echo "notification-controller: ${{ steps.nc.outcome }}"
+          echo "image: ${{ inputs.nc }}"
           echo "image-reflector-controller: ${{ steps.irc.outcome }}"
+          echo "image: ${{ inputs.irc }}"
           echo "image-automation-controller: ${{ steps.iac.outcome }}"
-          exit 1
+          echo "image: ${{ inputs.iac }}"
+      - name: Check result
+        shell: bash
+        if : steps.sc.outcome == 'failure' || steps.kc.outcome == 'failure' || steps.hc.outcome == 'failure' || steps.nc.outcome == 'failure' || steps.irc.outcome == 'failure' || steps.iac.outcome == 'failure'
+        run: |
+          echo "One or more controllers have vulnerabilities"
+          if [ "${{ inputs.check-scan-error }}" = "true" ]; then
+            exit 1
+          fi