Skip to content

Commit

Permalink
Add scheduled job and revert pr scan changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@illegalnumbers
illegalnumbers committed May 16, 2024
1 parent a9bb693 commit 834ef56
Show file tree
Hide file tree
Showing 2 changed files with 171 additions and 47 deletions.
52 changes: 5 additions & 47 deletions .github/workflows/trivy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,6 @@ on:
permissions:
pull-requests: write
issues: write
# For Trivy uploads to Github Security tab
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read

jobs:
build:
Expand Down Expand Up @@ -100,65 +94,29 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-go-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-go.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
format: 'table'
exit-code: '0'

- name: Run Trivy vulnerability scanner for java with pulsarctl
id: scan-java-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-java-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
format: 'table'
exit-code: '0'

- name: Run Trivy vulnerability scanner for python with pulsarctl
id: scan-python-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-python-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-python.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
format: 'table'
exit-code: '0'

- name: Run Trivy vulnerability scanner for go with pulsarctl
id: scan-go-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-go-runner:latest'
format: 'template'
exit-code: '0'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-pulsarctl.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
category: 'Default'

- name: Upload Trivy go scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-go.sarif'
category: 'Golang'

- name: Upload Trivy pulsarctl scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-pulsarctl.sarif'
category: 'Pulsarctl'

- name: Upload Trivy python scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-python.sarif'
category: 'Python'
format: 'table'
exit-code: '0'
166 changes: 166 additions & 0 deletions .github/workflows/trivy_scheduled_master.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,166 @@
name: Scheduled master branch scan security vulnerabilities
on:
pull_request:
branches:
- 'master'
paths-ignore:
- 'docs/**'
- 'README.md'
- 'CHANGELOG.md'
- 'PROJECT'
- 'LICENSE'
- 'mesh-worker-service/README.md'
- 'tools/README.md'
schedule:
- cron: '0 0 * * *'

permissions:
pull-requests: write
issues: write
# For Trivy uploads to Github Security tab
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read

jobs:
build:
name: Scan
permissions:
pull-requests: write
issues: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
repository: ${{github.event.pull_request.head.repo.full_name}}
ref: ${{ github.event.pull_request.head.sha }}

- name: Set up GO 1.22.3
uses: actions/setup-go@v1
with:
go-version: 1.22.3
id: go

- name: InstallKubebuilder
run: |
curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz | tar -xz -C /tmp/
sudo mv /tmp/kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder
export PATH=$PATH:/usr/local/kubebuilder/bin
- name: Install operator-sdk
run: |
RELEASE_VERSION=v1.14.0
curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/${RELEASE_VERSION}/operator-sdk_linux_amd64"
chmod +x operator-sdk_linux_amd64 && sudo mkdir -p /usr/local/bin/ && sudo mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk
- name: Set up yq
run: |
sudo wget https://github.com/mikefarah/yq/releases/download/v4.30.4/yq_linux_amd64 -O /usr/bin/yq
sudo chmod +x /usr/bin/yq
yq --help
- name: Build operator image
run: |
make generate
make helm-crds
image="function-mesh-operator:latest"
IMG=${image} make docker-build-skip-test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'function-mesh-operator:latest'
format: 'table'
exit-code: '1'

- name: Build runner images
run: |
PULSAR_IMAGE_TAG=3.2.2.6 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh
- name: Run Trivy vulnerability scanner for java
id: scan-java-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-java-runner:latest'
format: 'table'
exit-code: '0'

- name: Run Trivy vulnerability scanner for python
id: scan-python-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-python-runner:latest'
format: 'table'
exit-code: '0'

- name: Run Trivy vulnerability scanner for go
id: scan-go-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-go-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-go.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'

- name: Run Trivy vulnerability scanner for java with pulsarctl
id: scan-java-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-java-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'

- name: Run Trivy vulnerability scanner for python with pulsarctl
id: scan-python-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-python-runner:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-python.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
exit-code: '0'

- name: Run Trivy vulnerability scanner for go with pulsarctl
id: scan-go-pulsarctl-runner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'pulsar-functions-pulsarctl-go-runner:latest'
format: 'template'
exit-code: '0'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-pulsarctl.sarif'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
category: 'Default'

- name: Upload Trivy go scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-go.sarif'
category: 'Golang'

- name: Upload Trivy pulsarctl scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-pulsarctl.sarif'
category: 'Pulsarctl'

- name: Upload Trivy python scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-python.sarif'
category: 'Python'

0 comments on commit 834ef56

Please sign in to comment.