add image scanning on pull_request

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
karmada-io · Jan 4, 2024 · bcf2824 · bcf2824
1 parent 6128367
commit bcf2824
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/.github/workflows/ci-image-scanning-on-pull-request.yaml b/.github/workflows/ci-image-scanning-on-pull-request.yaml
@@ -0,0 +1,45 @@
+name: image-scanning-on-pull-request
+on:
+  pull_request:
+jobs:
+  use-trivy-to-scan-image:
+    name: image scannning
+    # prevent job running from forked repository
+    if: ${{ github.repository == 'karmada-io/karmada' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v3
+      - name: install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.20.11
+      - name: Build images from Dockerfile
+        run: |
+          export VERSION="latest"
+          export REGISTRY="docker.io/karmada"
+          make images GOOS="linux" --directory=.
+      - name: download Trivy vulnerability scanner
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.1
+      - name: Image scan
+        run: |
+          IMAGE_ARRAR=(
+            karmada-controller-manager
+            karmada-scheduler
+            karmada-descheduler
+            karmada-webhook
+            karmada-agent
+            karmada-scheduler-estimator
+            karmada-interpreter-webhook-example
+            karmada-aggregated-apiserver
+            karmada-search
+            karmada-operator
+            karmada-metrics-adapter
+          )
+          for image in ${IMAGE_ARRAR[@]}
+          do
+            echo "========== Scan results of image $image =========="
+            imageRef="$REGISTRY/$image:$VERSION"
+            trivy image --format table --ignore-unfixed --vuln-type os,library -q --severity  UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL $imageRef)
+          done