From 5c4bdc4cca0673aec120996a2fc52f6669b181d8 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Sat, 3 Feb 2024 12:12:35 +0200 Subject: [PATCH] Refactor scanning Signed-off-by: Stefan Prodan --- .github/workflows/e2e-fips.yaml | 2 +- .github/workflows/scan-fips.yaml | 2 +- .github/workflows/scan-upstream.yaml | 1 + .github/workflows/x-release.yaml | 3 +- .github/workflows/x-scan-controllers.yaml | 52 +++++++++++++++-------- 5 files changed, 39 insertions(+), 21 deletions(-) diff --git a/.github/workflows/e2e-fips.yaml b/.github/workflows/e2e-fips.yaml index 14e5664..7bafa79 100644 --- a/.github/workflows/e2e-fips.yaml +++ b/.github/workflows/e2e-fips.yaml @@ -2,7 +2,7 @@ name: FIPS conformance tests on: workflow_dispatch: schedule: - - cron: '00 5 * * 1-5' + - cron: '00 6 * * 1-5' permissions: contents: read diff --git a/.github/workflows/scan-fips.yaml b/.github/workflows/scan-fips.yaml index 1986469..28e7784 100644 --- a/.github/workflows/scan-fips.yaml +++ b/.github/workflows/scan-fips.yaml @@ -3,7 +3,7 @@ name: FIPS vulnerability scan on: workflow_dispatch: schedule: - - cron: '00 4 * * 1-5' + - cron: '00 5 * * 1-5' permissions: contents: read diff --git a/.github/workflows/scan-upstream.yaml b/.github/workflows/scan-upstream.yaml index 34484e7..6377a16 100644 --- a/.github/workflows/scan-upstream.yaml +++ b/.github/workflows/scan-upstream.yaml @@ -53,6 +53,7 @@ jobs: packages: read uses: ./.github/workflows/x-scan-controllers.yaml with: + check-scan-error: false sc: ${{ needs.get-controllers.outputs.sc }} kc: ${{ needs.get-controllers.outputs.kc }} hc: ${{ needs.get-controllers.outputs.hc }} diff --git a/.github/workflows/x-release.yaml b/.github/workflows/x-release.yaml index daf1d84..6df783c 100644 --- a/.github/workflows/x-release.yaml +++ b/.github/workflows/x-release.yaml @@ -1,4 +1,4 @@ -name: release +name: x-release on: push: tags: [ 'v*' ] @@ -64,6 +64,7 @@ jobs: run: | cosign sign --yes ${{ steps.push.outputs.img_repository }}@${{ steps.push.outputs.img_digest }} - name: Create release + shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | diff --git a/.github/workflows/x-scan-controllers.yaml b/.github/workflows/x-scan-controllers.yaml index f997644..dc5a174 100644 --- a/.github/workflows/x-scan-controllers.yaml +++ b/.github/workflows/x-scan-controllers.yaml @@ -1,4 +1,4 @@ -name: scan-controllers +name: x-scan-controllers on: workflow_call: @@ -27,8 +27,13 @@ on: description: 'image-automation-controller image' required: true type: string - continue-on-error: - description: 'continue on error' + severity: + description: 'vulnerability severity' + required: false + type: string + default: 'CRITICAL,HIGH,MEDIUM' + check-scan-error: + description: 'check for scan errors' required: false type: boolean default: true @@ -54,7 +59,7 @@ jobs: password: ${{ secrets.pull-token }} - name: Scan source-controller id: sc - continue-on-error: ${{ inputs.continue-on-error }} + continue-on-error: true uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: image-ref: ${{ inputs.sc }} @@ -62,13 +67,13 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: ${{ inputs.severity }} env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.pull-token }} - name: Scan kustomize-controller id: kc - continue-on-error: ${{ inputs.continue-on-error }} + continue-on-error: true uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: image-ref: ${{ inputs.kc }} @@ -76,13 +81,13 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: ${{ inputs.severity }} env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.pull-token }} - name: Scan helm-controller id: hc - continue-on-error: ${{ inputs.continue-on-error }} + continue-on-error: true uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: image-ref: ${{ inputs.hc }} @@ -90,13 +95,13 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: ${{ inputs.severity }} env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.pull-token }} - name: Scan notification-controller id: nc - continue-on-error: ${{ inputs.continue-on-error }} + continue-on-error: true uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: image-ref: ${{ inputs.nc }} @@ -104,13 +109,13 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: ${{ inputs.severity }} env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.pull-token }} - name: Scan image-reflector-controller id: irc - continue-on-error: ${{ inputs.continue-on-error }} + continue-on-error: true uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: image-ref: ${{ inputs.irc }} @@ -118,13 +123,13 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: ${{ inputs.severity }} env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.pull-token }} - name: Scan image-automation-controller id: iac - continue-on-error: ${{ inputs.continue-on-error }} + continue-on-error: true uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: image-ref: ${{ inputs.iac }} @@ -132,18 +137,29 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: ${{ inputs.severity }} env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.pull-token }} - name: Scan result - if : steps.sc.outcome == 'failure' || steps.kc.outcome == 'failure' || steps.hc.outcome == 'failure' || steps.nc.outcome == 'failure' || steps.irc.outcome == 'failure' || steps.iac.outcome == 'failure' run: | - echo "One or more controllers have vulnerabilities" echo "source-controller: ${{ steps.sc.outcome }}" + echo "image: ${{ inputs.sc }}" echo "kustomize-controller: ${{ steps.kc.outcome }}" + echo "image: ${{ inputs.kc }}" echo "helm-controller: ${{ steps.hc.outcome }}" + echo "image: ${{ inputs.hc }}" echo "notification-controller: ${{ steps.nc.outcome }}" + echo "image: ${{ inputs.nc }}" echo "image-reflector-controller: ${{ steps.irc.outcome }}" + echo "image: ${{ inputs.irc }}" echo "image-automation-controller: ${{ steps.iac.outcome }}" - exit 1 + echo "image: ${{ inputs.iac }}" + - name: Check result + shell: bash + if : steps.sc.outcome == 'failure' || steps.kc.outcome == 'failure' || steps.hc.outcome == 'failure' || steps.nc.outcome == 'failure' || steps.irc.outcome == 'failure' || steps.iac.outcome == 'failure' + run: | + echo "One or more controllers have vulnerabilities" + if [ "${{ inputs.check-scan-error }}" = "true" ]; then + exit 1 + fi