Add image scanner action, but only run it on-demand (#1062)

The images we can here come from outside sources and are not under our control. We can report on them, but to run this automatically would add lots of noise for work that we cannot control. Signed-off-by: Pete Wall <[email protected]>
grafana · Jan 10, 2025 · a37e6de · a37e6de
1 parent 625ff0c
commit a37e6de
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 7 deletions.
diff --git a/.github/workflows/scan-chart-images.yaml b/.github/workflows/scan-chart-images.yaml
@@ -0,0 +1,69 @@
+---
+name: Scan Chart Images
+
+on:
+  workflow_dispatch:
+# Disabling auto-checking.
+# There are often many vulnerabilities in these images, but we don't own them.
+# It just adds to noise if this is failing all the time.
+#
+#  push:
+#    branches: ["main"]
+#    paths:
+#      - '.github/workflows/scan-chart-images.yaml'
+#      - 'charts/k8s-monitoring/docs/examples/**'
+#  pull_request:
+#    paths:
+#      - '.github/workflows/scan-chart-images.yaml'
+#      - 'charts/k8s-monitoring/docs/examples/**'
+
+jobs:
+  list-container-images:
+    name: List Container Images
+    runs-on: ubuntu-latest
+    outputs:
+      images: ${{ steps.list_images.outputs.images }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        uses: dcarbone/[email protected]
+
+      - name: List Container Images
+        id: list_images
+        working-directory: charts/k8s-monitoring
+        run: |
+          files=$(find docs/examples -name output.yaml)
+          touch images.txt
+          for file in $files; do
+            if [ "${file}" == "docs/examples/private-image-registries/output.yaml" ]; then
+              continue
+            fi
+            {
+              yq -r -o json '. | select(.kind=="DaemonSet") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Deployment") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Job") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Pod") | .spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="StatefulSet") | .spec.template.spec.containers[].image' "${file}"
+            } >> images.txt
+          done
+          echo "images=$(sort --unique < images.txt | jq --raw-input --slurp --compact-output 'split("\n") | map(select(. != ""))')" >> "${GITHUB_OUTPUT}"
+
+  scan-container-images:
+    name: Scan Container Images
+    needs: list-container-images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: ${{ fromJson(needs.list-container-images.outputs.images) }}
+      fail-fast: false
+    steps:
+      - name: Run Trivy
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ matrix.image }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: false
+          severity: 'CRITICAL,HIGH'
diff --git a/.github/workflows/test-v1.yml b/.github/workflows/test-v1.yml
@@ -80,17 +80,11 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.9'
-          check-latest: true
-
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2
 
       - name: Install yq
-        run: pip install yq
+        uses: dcarbone/install[email protected]
 
       - name: Install ShellSpec
         run: |