ci: add vulnerability scan as part of GitHub Actions (#1817)

Signed-off-by: Ernest Wong <chuwon@microsoft.com> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
open-policy-agent · Feb 3, 2022 · 9a02fe8 · 9a02fe8
1 parent 36fdd72
commit 9a02fe8
Showing 1 changed file with 32 additions and 2 deletions.
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -234,11 +234,41 @@ jobs:
           path: |
             logs-*.json
 
+  scan_vulnerabilities:
+    name: "[Trivy] Scan for vulnerabilities"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Download trivy
+        run: |
+          pushd $(mktemp -d)
+          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          echo "$(pwd)" >> $GITHUB_PATH
+        env:
+          TRIVY_VERSION: "0.22.0"
+
+      - name: Build docker images
+        run: make docker-build
+
+      - name: Run trivy
+        run: |
+          for img in "openpolicyagent/gatekeeper:latest" "openpolicyagent/gatekeeper-crds:latest"; do
+            for vuln_type in "os" "library"; do
+              trivy image --ignore-unfixed --exit-code=1 --vuln-type="${vuln_type}" "${img}"
+            done
+          done
+
   pre-release:
     name: "Pre Release"
     runs-on: "ubuntu-latest"
     if: (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-')) && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper'
-    needs: [lint, test, build_test, helm_build_test]
+    needs: [lint, test, build_test, helm_build_test, scan_vulnerabilities]
     timeout-minutes: 30
     permissions:
       contents: read
@@ -278,7 +308,7 @@ jobs:
     permissions:
       contents: write
     if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper'
-    needs: [lint, test, build_test, helm_build_test]
+    needs: [lint, test, build_test, helm_build_test, scan_vulnerabilities]
     timeout-minutes: 30
     steps:
       - name: Check out code into the Go module directory