CSPL-2710: replace clair with trivy for security scanning (#1341)

* adding support for trivy

Signed-off-by: Vivek Reddy <[email protected]>

* commenting unittest

Signed-off-by: Vivek Reddy <[email protected]>

* remove coverage file

Signed-off-by: Vivek Reddy <[email protected]>

* disable code coverage

Signed-off-by: Vivek Reddy <[email protected]>

* disable code coverage

Signed-off-by: Vivek Reddy <[email protected]>

* testing with 2.5.2

Signed-off-by: Vivek Reddy <[email protected]>

* testing with double quotes

Signed-off-by: Vivek Reddy <[email protected]>

* adding new section

Signed-off-by: Vivek Reddy <[email protected]>

* chaging to use github sha

Signed-off-by: Vivek Reddy <[email protected]>

* added image pull

Signed-off-by: Vivek Reddy <[email protected]>

* adding report

Signed-off-by: Vivek Reddy <[email protected]>

* adding aws credentials

Signed-off-by: Vivek Reddy <[email protected]>

* changed report to table

Signed-off-by: Vivek Reddy <[email protected]>

* changed to sarif

Signed-off-by: Vivek Reddy <[email protected]>

* updated go mod

* updated to use fs type

* updated to use sarif with template

* adding go mod changes

Signed-off-by: Vivek Reddy <[email protected]>

* adding permissions

Signed-off-by: Vivek Reddy <[email protected]>

* adding trivy and removed clair

Signed-off-by: Vivek Reddy <[email protected]>

* uncommented test

Signed-off-by: Vivek Reddy <[email protected]>

* uncommented test

Signed-off-by: Vivek Reddy <[email protected]>

* adding latest sarif

Signed-off-by: Vivek Reddy <[email protected]>

* remove old net and crypto version

Signed-off-by: Vivek Reddy <[email protected]>

---------

Signed-off-by: Vivek Reddy <[email protected]>

.github/workflows/build-test-push-workflow.yml

@@ -90,15 +90,20 @@ jobs:
     - name: Push Splunk Operator Image to ECR
       run: |
         echo "Uploading Image to ECR:: ${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA"
-        make docker-push IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
+        make docker-push IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
   vulnerability-scan:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
     needs: build-operator-image
     env:
       SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }}
       SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
       ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+      IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}
     steps:
     - uses: actions/checkout@v2
     - name: Dotenv Action
@@ -116,18 +121,20 @@ jobs:
       uses: aws-actions/amazon-ecr-login@v1
     - name: Pull Splunk Operator Image Locally
       run: |
-        docker pull ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
-    - name: Setup clair scanner
-      run: make setup_clair_scanner
-    - name: Scan container image
-      run: make run_clair_scan IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
-    - name: Stop clair scanner
-      run: make stop_clair_scanner
-    - name: Save scan results as artifacts
-      uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
+        docker pull ${{ env.IMAGE_NAME }}
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: '${{ env.IMAGE_NAME }}'
+        format: sarif
+        #exit-code: 1
+        severity: 'CRITICAL'
+        ignore-unfixed: true
+        output: 'trivy-results.sarif'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
       with:
-        name: clair-scanner-logs
-        path: clair-scanner-logs
+        sarif_file: 'trivy-results.sarif'
   smoke-tests:
     needs: vulnerability-scan
     strategy:

go.mod

@@ -7,8 +7,8 @@ require (
 	github.com/go-logr/logr v1.4.1
 	github.com/google/go-cmp v0.6.0
 	github.com/minio/minio-go/v7 v7.0.16
-	github.com/onsi/ginkgo/v2 v2.17.2
-	github.com/onsi/gomega v1.33.0
+	github.com/onsi/ginkgo/v2 v2.19.0
+	github.com/onsi/gomega v1.33.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.14.0
 	github.com/stretchr/testify v1.8.4
@@ -37,7 +37,6 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -70,14 +69,14 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/crypto v0.1.0 // indirect
-	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.20.0 // indirect
+	golang.org/x/tools v0.21.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
@@ -92,9 +91,4 @@ require (
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
-)
-
-replace (
-	golang.org/x/crypto => golang.org/x/crypto v0.1.0
-	golang.org/x/net => golang.org/x/net v0.7.0
-)
+)