Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add image scanner action #1062

Merged
merged 1 commit into from
Jan 10, 2025
Merged

Add image scanner action #1062

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions .github/workflows/scan-chart-images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
name: Scan Chart Images

on:

Check failure on line 4 in .github/workflows/scan-chart-images.yaml

View workflow job for this annotation

GitHub Actions / runner / yamllint 

[yamllint] reported by reviewdog 🐶
[warning] truthy value should be one of [false, true] (truthy)

Raw Output:
./.github/workflows/scan-chart-images.yaml:4:1: [warning] truthy value should be one of [false, true] (truthy)
workflow_dispatch:
# Disabling auto-checking.
# There are often many vulnerabilities in these images, but we don't own them.
# It just adds to noise if this is failing all the time.
#
# push:
# branches: ["main"]
# paths:
# - '.github/workflows/scan-chart-images.yaml'
# - 'charts/k8s-monitoring/docs/examples/**'
# pull_request:
# paths:
# - '.github/workflows/scan-chart-images.yaml'
# - 'charts/k8s-monitoring/docs/examples/**'

jobs:
list-container-images:
name: List Container Images
runs-on: ubuntu-latest
outputs:
images: ${{ steps.list_images.outputs.images }}
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Install yq
uses: dcarbone/[email protected]

- name: List Container Images
id: list_images
working-directory: charts/k8s-monitoring
run: |
files=$(find docs/examples -name output.yaml)
touch images.txt
for file in $files; do
if [ "${file}" == "docs/examples/private-image-registries/output.yaml" ]; then
continue
fi
{
yq -r -o json '. | select(.kind=="DaemonSet") | .spec.template.spec.containers[].image' "${file}"
yq -r -o json '. | select(.kind=="Deployment") | .spec.template.spec.containers[].image' "${file}"
yq -r -o json '. | select(.kind=="Job") | .spec.template.spec.containers[].image' "${file}"
yq -r -o json '. | select(.kind=="Pod") | .spec.containers[].image' "${file}"
yq -r -o json '. | select(.kind=="StatefulSet") | .spec.template.spec.containers[].image' "${file}"
} >> images.txt
done
echo "images=$(sort --unique < images.txt | jq --raw-input --slurp --compact-output 'split("\n") | map(select(. != ""))')" >> "${GITHUB_OUTPUT}"

scan-container-images:
name: Scan Container Images
needs: list-container-images
runs-on: ubuntu-latest
strategy:
matrix:
image: ${{ fromJson(needs.list-container-images.outputs.images) }}
fail-fast: false
steps:
- name: Run Trivy
uses: aquasecurity/[email protected]
with:
image-ref: ${{ matrix.image }}
format: 'table'
exit-code: '1'
ignore-unfixed: false
severity: 'CRITICAL,HIGH'
8 changes: 1 addition & 7 deletions .github/workflows/test-v1.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,17 +80,11 @@ jobs:
- name: Install Helm
uses: azure/setup-helm@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'
check-latest: true

- name: Set up chart-testing
uses: helm/chart-testing-action@v2

- name: Install yq
run: pip install yq
uses: dcarbone/install[email protected]

- name: Install ShellSpec
run: |
Expand Down
Loading