Skip to content

add image scanning on pull_request #1

add image scanning on pull_request

add image scanning on pull_request #1

name: image-scanning-on-pull-request
on:
pull_request:
jobs:
use-trivy-to-scan-image:
name: image scannning
# prevent job running from forked repository
if: ${{ github.repository == 'karmada-io/karmada' }}
runs-on: ubuntu-22.04
steps:
- name: checkout code
uses: actions/checkout@v3
- name: install Go
uses: actions/setup-go@v3
with:
go-version: 1.20.11
- name: Build images from Dockerfile
run: |
export VERSION="latest"
export REGISTRY="docker.io/karmada"
make images GOOS="linux" --directory=.
- name: download Trivy vulnerability scanner
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.1
- name: Image scan
run: |
IMAGE_ARRAR=(
karmada-controller-manager
karmada-scheduler
karmada-descheduler
karmada-webhook
karmada-agent
karmada-scheduler-estimator
karmada-interpreter-webhook-example
karmada-aggregated-apiserver
karmada-search
karmada-operator
karmada-metrics-adapter
)
for image in ${IMAGE_ARRAR[@]}
do
echo "========== Scan results of image $image =========="
imageRef="$REGISTRY/$image:$VERSION"
trivy image --format table --ignore-unfixed --vuln-type os,library -q --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL $imageRef)
done