From 834ef5658bbfb26e6b45c35b8075e50c30595e02 Mon Sep 17 00:00:00 2001 From: Benjamin Nelson Date: Thu, 16 May 2024 14:13:50 -0500 Subject: [PATCH] Add scheduled job and revert pr scan changes --- .github/workflows/trivy.yml | 52 +----- .github/workflows/trivy_scheduled_master.yml | 166 +++++++++++++++++++ 2 files changed, 171 insertions(+), 47 deletions(-) create mode 100644 .github/workflows/trivy_scheduled_master.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index beed741f..91aba468 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -15,12 +15,6 @@ on: permissions: pull-requests: write issues: write - # For Trivy uploads to Github Security tab - # required for all workflows - security-events: write - # only required for workflows in private repositories - actions: read - contents: read jobs: build: @@ -100,10 +94,7 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: 'pulsar-functions-go-runner:latest' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results-go.sarif' - severity: 'LOW,MEDIUM,HIGH,CRITICAL' + format: 'table' exit-code: '0' - name: Run Trivy vulnerability scanner for java with pulsarctl @@ -111,10 +102,7 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: 'pulsar-functions-pulsarctl-java-runner:latest' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'LOW,MEDIUM,HIGH,CRITICAL' + format: 'table' exit-code: '0' - name: Run Trivy vulnerability scanner for python with pulsarctl @@ -122,10 +110,7 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: 'pulsar-functions-pulsarctl-python-runner:latest' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results-python.sarif' - severity: 'LOW,MEDIUM,HIGH,CRITICAL' + format: 'table' exit-code: '0' - name: Run Trivy vulnerability scanner for go with pulsarctl @@ -133,32 +118,5 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: 'pulsar-functions-pulsarctl-go-runner:latest' - format: 'template' - exit-code: '0' - template: '@/contrib/sarif.tpl' - output: 'trivy-results-pulsarctl.sarif' - severity: 'LOW,MEDIUM,HIGH,CRITICAL' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' - category: 'Default' - - - name: Upload Trivy go scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results-go.sarif' - category: 'Golang' - - - name: Upload Trivy pulsarctl scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results-pulsarctl.sarif' - category: 'Pulsarctl' - - - name: Upload Trivy python scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results-python.sarif' - category: 'Python' \ No newline at end of file + format: 'table' + exit-code: '0' \ No newline at end of file diff --git a/.github/workflows/trivy_scheduled_master.yml b/.github/workflows/trivy_scheduled_master.yml new file mode 100644 index 00000000..284e23a4 --- /dev/null +++ b/.github/workflows/trivy_scheduled_master.yml @@ -0,0 +1,166 @@ +name: Scheduled master branch scan security vulnerabilities +on: + pull_request: + branches: + - 'master' + paths-ignore: + - 'docs/**' + - 'README.md' + - 'CHANGELOG.md' + - 'PROJECT' + - 'LICENSE' + - 'mesh-worker-service/README.md' + - 'tools/README.md' + schedule: + - cron: '0 0 * * *' + +permissions: + pull-requests: write + issues: write + # For Trivy uploads to Github Security tab + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + +jobs: + build: + name: Scan + permissions: + pull-requests: write + issues: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + repository: ${{github.event.pull_request.head.repo.full_name}} + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set up GO 1.22.3 + uses: actions/setup-go@v1 + with: + go-version: 1.22.3 + id: go + + - name: InstallKubebuilder + run: | + curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz | tar -xz -C /tmp/ + sudo mv /tmp/kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder + export PATH=$PATH:/usr/local/kubebuilder/bin + + - name: Install operator-sdk + run: | + RELEASE_VERSION=v1.14.0 + curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/${RELEASE_VERSION}/operator-sdk_linux_amd64" + chmod +x operator-sdk_linux_amd64 && sudo mkdir -p /usr/local/bin/ && sudo mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk + + - name: Set up yq + run: | + sudo wget https://github.com/mikefarah/yq/releases/download/v4.30.4/yq_linux_amd64 -O /usr/bin/yq + sudo chmod +x /usr/bin/yq + yq --help + + - name: Build operator image + run: | + make generate + make helm-crds + image="function-mesh-operator:latest" + IMG=${image} make docker-build-skip-test + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'function-mesh-operator:latest' + format: 'table' + exit-code: '1' + + - name: Build runner images + run: | + PULSAR_IMAGE_TAG=3.2.2.6 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh + + - name: Run Trivy vulnerability scanner for java + id: scan-java-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-java-runner:latest' + format: 'table' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for python + id: scan-python-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-python-runner:latest' + format: 'table' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for go + id: scan-go-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-go-runner:latest' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-go.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for java with pulsarctl + id: scan-java-pulsarctl-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-pulsarctl-java-runner:latest' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for python with pulsarctl + id: scan-python-pulsarctl-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-pulsarctl-python-runner:latest' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-python.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + exit-code: '0' + + - name: Run Trivy vulnerability scanner for go with pulsarctl + id: scan-go-pulsarctl-runner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'pulsar-functions-pulsarctl-go-runner:latest' + format: 'template' + exit-code: '0' + template: '@/contrib/sarif.tpl' + output: 'trivy-results-pulsarctl.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + category: 'Default' + + - name: Upload Trivy go scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-go.sarif' + category: 'Golang' + + - name: Upload Trivy pulsarctl scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-pulsarctl.sarif' + category: 'Pulsarctl' + + - name: Upload Trivy python scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-python.sarif' + category: 'Python' \ No newline at end of file