From a37e6de6a5884fca94147ac913b33f97cd43decf Mon Sep 17 00:00:00 2001 From: Pete Wall Date: Fri, 10 Jan 2025 09:05:40 -0600 Subject: [PATCH] Add image scanner action, but only run it on-demand (#1062) The images we can here come from outside sources and are not under our control. We can report on them, but to run this automatically would add lots of noise for work that we cannot control. Signed-off-by: Pete Wall --- .github/workflows/scan-chart-images.yaml | 69 ++++++++++++++++++++++++ .github/workflows/test-v1.yml | 8 +-- 2 files changed, 70 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/scan-chart-images.yaml diff --git a/.github/workflows/scan-chart-images.yaml b/.github/workflows/scan-chart-images.yaml new file mode 100644 index 000000000..75e4982c8 --- /dev/null +++ b/.github/workflows/scan-chart-images.yaml @@ -0,0 +1,69 @@ +--- +name: Scan Chart Images + +on: + workflow_dispatch: +# Disabling auto-checking. +# There are often many vulnerabilities in these images, but we don't own them. +# It just adds to noise if this is failing all the time. +# +# push: +# branches: ["main"] +# paths: +# - '.github/workflows/scan-chart-images.yaml' +# - 'charts/k8s-monitoring/docs/examples/**' +# pull_request: +# paths: +# - '.github/workflows/scan-chart-images.yaml' +# - 'charts/k8s-monitoring/docs/examples/**' + +jobs: + list-container-images: + name: List Container Images + runs-on: ubuntu-latest + outputs: + images: ${{ steps.list_images.outputs.images }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install yq + uses: dcarbone/install-yq-action@v1.1.1 + + - name: List Container Images + id: list_images + working-directory: charts/k8s-monitoring + run: | + files=$(find docs/examples -name output.yaml) + touch images.txt + for file in $files; do + if [ "${file}" == "docs/examples/private-image-registries/output.yaml" ]; then + continue + fi + { + yq -r -o json '. | select(.kind=="DaemonSet") | .spec.template.spec.containers[].image' "${file}" + yq -r -o json '. | select(.kind=="Deployment") | .spec.template.spec.containers[].image' "${file}" + yq -r -o json '. | select(.kind=="Job") | .spec.template.spec.containers[].image' "${file}" + yq -r -o json '. | select(.kind=="Pod") | .spec.containers[].image' "${file}" + yq -r -o json '. | select(.kind=="StatefulSet") | .spec.template.spec.containers[].image' "${file}" + } >> images.txt + done + echo "images=$(sort --unique < images.txt | jq --raw-input --slurp --compact-output 'split("\n") | map(select(. != ""))')" >> "${GITHUB_OUTPUT}" + + scan-container-images: + name: Scan Container Images + needs: list-container-images + runs-on: ubuntu-latest + strategy: + matrix: + image: ${{ fromJson(needs.list-container-images.outputs.images) }} + fail-fast: false + steps: + - name: Run Trivy + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ matrix.image }} + format: 'table' + exit-code: '1' + ignore-unfixed: false + severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/test-v1.yml b/.github/workflows/test-v1.yml index 232555e2d..c72160a60 100644 --- a/.github/workflows/test-v1.yml +++ b/.github/workflows/test-v1.yml @@ -80,17 +80,11 @@ jobs: - name: Install Helm uses: azure/setup-helm@v4 - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.9' - check-latest: true - - name: Set up chart-testing uses: helm/chart-testing-action@v2 - name: Install yq - run: pip install yq + uses: dcarbone/install-yq-action@v1.1.1 - name: Install ShellSpec run: |