Scan Antrea Docker image for vulnerabilities every day #454
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan Antrea Docker image for vulnerabilities every day | |
| on: | |
| schedule: | |
| # every day at 10am | |
| - cron: '0 10 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| # This is useful for testing an arbitrary released version of Antrea. | |
| # If left unset, we will use the latest release (obtained using the Github API). | |
| antrea-version: | |
| description: 'The released Antrea version to scan' | |
| type: string | |
| required: false | |
| jobs: | |
| build: | |
| if: github.repository == 'antrea-io/antrea' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Find greatest Antrea version | |
| id: find-antrea-greatest-version | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| VERSION=${{ github.event.inputs.antrea-version }} | |
| if [ -z "$VERSION" ]; then | |
| VERSION=$(gh api /repos/antrea-io/antrea/releases/latest --jq '.tag_name') | |
| fi | |
| echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Pull Antrea Docker images | |
| id: pull | |
| run: | | |
| docker pull antrea/antrea-ubuntu:latest | |
| docker pull antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} | |
| - name: Run Trivy vulnerability scanner on latest Antrea Docker image | |
| if: ${{ always() && steps.pull.conclusion == 'success' }} | |
| uses: aquasecurity/trivy-action@0.15.0 | |
| # we cannot use .trivy.yml as we need to override some config parameters | |
| # and that is not supported by aquasecurity/trivy-action | |
| with: | |
| scan-type: 'image' | |
| image-ref: 'antrea/antrea-ubuntu:latest' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| # whereabouts project doesn't upgrade dependencies frequently | |
| skip-files: '/opt/cni/bin/whereabouts' | |
| format: 'table' | |
| output: 'trivy.latest.txt' | |
| - name: Run Trivy vulnerability scanner on Antrea Docker image for latest released version | |
| if: ${{ always() && steps.pull.conclusion == 'success' }} | |
| uses: aquasecurity/trivy-action@0.15.0 | |
| with: | |
| scan-type: 'image' | |
| image-ref: 'antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| skip-files: '/opt/cni/bin/whereabouts' | |
| format: 'table' | |
| output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt' | |
| - name: Upload Trivy scan reports | |
| if: ${{ always() && steps.pull.conclusion == 'success' }} | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: trivy-scan-reports | |
| path: trivy.*.txt | |
| retention-days: 90 # max value | |
| skip: | |
| if: github.repository != 'antrea-io/antrea' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Skip | |
| run: | | |
| echo "Skipping image scan because workflow cannot be run from fork" |