e2e: Scan upstream images

Signed-off-by: Stefan Prodan <[email protected]>
controlplaneio-fluxcd · Feb 2, 2024 · f6eae81 · f6eae81
1 parent e5ace42
commit f6eae81
Show file tree

Hide file tree

Showing 2 changed files with 157 additions and 0 deletions.
diff --git a/.github/workflows/scan-controllers.yaml b/.github/workflows/scan-controllers.yaml
@@ -0,0 +1,99 @@
+name: scan-controllers
+
+on:
+  workflow_call:
+    inputs:
+      sc:
+        description: 'source-controller image'
+        required: true
+        type: string
+      kc:
+        description: 'kustomize-controller image'
+        required: true
+        type: string
+      hc:
+        description: 'helm-controller image'
+        required: true
+        type: string
+      nc:
+        description: 'notification-controller image'
+        required: true
+        type: string
+      irc:
+        description: 'image-reflector-controller image'
+        required: true
+        type: string
+      iac:
+        description: 'image-automation-controller image'
+        required: true
+        type: string
+      continue-on-error:
+        description: 'continue on error'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Scan source-controller
+        continue-on-error: ${{ inputs.continue-on-error }}
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          image-ref: ${{ inputs.sc }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Scan kustomize-controller
+        continue-on-error: ${{ inputs.continue-on-error }}
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          image-ref: ${{ inputs.kc }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Scan helm-controller
+        continue-on-error: ${{ inputs.continue-on-error }}
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          image-ref: ${{ inputs.hc }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Scan notification-controller
+        continue-on-error: ${{ inputs.continue-on-error }}
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          image-ref: ${{ inputs.nc }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Scan image-reflector-controller
+        continue-on-error: ${{ inputs.continue-on-error }}
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          image-ref: ${{ inputs.irc }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Scan image-automation-controller
+        continue-on-error: ${{ inputs.continue-on-error }}
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          image-ref: ${{ inputs.iac }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/.github/workflows/scan-upstream.yaml b/.github/workflows/scan-upstream.yaml
@@ -0,0 +1,58 @@
+name: scan-upstream
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  get-controllers:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      sc: ${{ steps.version.outputs.sc }}
+      kc: ${{ steps.version.outputs.kc }}
+      hc: ${{ steps.version.outputs.hc }}
+      nc: ${{ steps.version.outputs.nc }}
+      irc: ${{ steps.version.outputs.irc }}
+      iac: ${{ steps.version.outputs.iac }}
+    steps:
+      - name: Setup Flux
+        uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 #v2.2.2
+      - name: Export controllers version
+        shell: bash
+        id: version
+        run: |
+          FLUX_IMAGES="flux-images-$(flux -v | awk '{print $3}').txt"
+          
+          flux install \
+          --components-extra=image-reflector-controller,image-automation-controller \
+          --export | grep 'ghcr.io/' | awk '{print $2}' > "${FLUX_IMAGES}"
+          
+          sc=$(awk 'NR==1{print $1}' "${FLUX_IMAGES}")
+          kc=$(awk 'NR==2{print $1}' "${FLUX_IMAGES}")
+          hc=$(awk 'NR==3{print $1}' "${FLUX_IMAGES}")
+          nc=$(awk 'NR==4{print $1}' "${FLUX_IMAGES}")
+          irc=$(awk 'NR==5{print $1}' "${FLUX_IMAGES}")
+          iac=$(awk 'NR==6{print $1}' "${FLUX_IMAGES}")
+          
+          echo "sc=${sc}" >> $GITHUB_OUTPUT
+          echo "kc=${kc}" >> $GITHUB_OUTPUT
+          echo "hc=${hc}" >> $GITHUB_OUTPUT
+          echo "nc=${nc}" >> $GITHUB_OUTPUT
+          echo "irc=${irc}" >> $GITHUB_OUTPUT
+          echo "iac=${iac}" >> $GITHUB_OUTPUT
+  scan-controllers:
+    needs: [get-controllers]
+    permissions:
+      contents: read
+    uses: ./.github/workflows/scan-controllers.yaml
+    with:
+      sc: ${{ needs.get-controllers.outputs.sc }}
+      kc: ${{ needs.get-controllers.outputs.kc }}
+      hc: ${{ needs.get-controllers.outputs.hc }}
+      nc: ${{ needs.get-controllers.outputs.nc }}
+      irc: ${{ needs.get-controllers.outputs.irc }}
+      iac: ${{ needs.get-controllers.outputs.iac }}