feat: monitor OS vulnerability in Skaffold LTS images.

[ChrisGe4]

Add a Cloud Build job to monitor the vulnerabilities that are found in the LTS images.

Reference: go/cd-lts-image-security.

[codecov]

Codecov Report

Merging #6964 (82424d1) into main (290280e) will decrease coverage by 1.71%.
The diff coverage is 56.70%.

@@            Coverage Diff             @@
##             main    #6964      +/-   ##
==========================================
- Coverage   70.48%   68.77%   -1.72%     
==========================================
  Files         515      551      +36     
  Lines       23150    25370    +2220     
==========================================
+ Hits        16317    17447    +1130     
- Misses       5776     6740     +964     
- Partials     1057     1183     +126     

Impacted Files	Coverage Δ
cmd/skaffold/app/cmd/deploy.go	52.00% <ø> (-1.85%)	⬇️
cmd/skaffold/app/cmd/dev.go	84.61% <0.00%> (ø)
cmd/skaffold/app/cmd/render.go	36.66% <0.00%> (-4.72%)	⬇️
cmd/skaffold/skaffold.go	0.00% <0.00%> (ø)
cmd/skaffold/app/cmd/inspect_tests.go	62.50% <14.28%> (-1.14%)	⬇️
cmd/skaffold/app/cmd/lsp.go	28.12% <28.12%> (ø)
cmd/skaffold/app/cmd/fix.go	68.85% <40.00%> (-7.62%)	⬇️
cmd/skaffold/app/cmd/lint.go	42.85% <42.85%> (ø)
cmd/skaffold/app/cmd/find_configs.go	48.88% <50.00%> (+0.24%)	⬆️
cmd/skaffold/app/skaffold.go	76.19% <70.00%> (-8.43%)	⬇️
... and 175 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 248b74e...82424d1. Read the comment docs.

[briandealwis]

Should use /bin/bash to be consistent with line 8

[ChrisGe4]

Done.

[briandealwis]

What if there are new, more severe, vulnerabilities reported?

[ChrisGe4]

The github issue only serves as a reminder for skaffold team to look up the vulnerabilities in the report that is created by container analysis.

[briandealwis]

Except that you're listing the images with vulnerabilities, and a new vulnerability could have been discovered in a different image.

[ChrisGe4]

I added the code to update the existing issue.

[briandealwis]

Feels like there should be a blank line to separate the unrelated variables from this function

[ChrisGe4]

Done.

[briandealwis]

Note that these substitutions must be explicitly propagated into the environment with an env: section on a step in the cloudbuild.yaml

[ChrisGe4]

ah, I only tested with default values before. Added the substitutions section.

[tejal29]

Thanks. This is looking pretty solid.

1. Can you fix the CLA bot issue. https://github.com/GoogleContainerTools/skaffold/pull/6964/checks?check_run_id=4525719034

2. Can you link a sample build job?

[ChrisGe4]

Thanks. This is looking pretty solid.

1. Can you fix the CLA bot issue. https://github.com/GoogleContainerTools/skaffold/pull/6964/checks?check_run_id=4525719034
2. Can you link a sample build job?

1. Resolved.
2. A job triggered from my test project with the code in this repo:https://pantheon.corp.google.com/cloud-build/builds;region=global/fe415473-1bb1-4b01-bf83-f0b317ef6262?project=cd-demo-01 Log: https://paste.googleplex.com/6644379658747904

[tejal29]

2. A job triggered from my test project with the code in this repo:https://pantheon.corp.google.com/cloud-build/builds;region=global/fe415473-1bb1-4b01-bf83-f0b317ef6262?project=cd-demo-01

Can you copy the logs and share a gpaste/ link?
I don't have access to see the build log.

[ChrisGe4]

2. A job triggered from my test project with the code in this repo:https://pantheon.corp.google.com/cloud-build/builds;region=global/fe415473-1bb1-4b01-bf83-f0b317ef6262?project=cd-demo-01

Can you copy the logs and share a gpaste/ link? I don't have access to see the build log.

I have added the gpaste link.

[tejal29]

Nice! looks like issues are getting created here https://github.com/ChrisGe4/cd-lts-test/issues

[tejal29]

Address google cloud API warning and then LGTM!.

Thank you for your patience.

Step #1 - "Check vulnerability report.": WARNING: --filter : operator evaluation is changing for consistency across Google APIs.  tags:v*lts currently matches but will not match in the near future.  Run `gcloud topic filters` for details.