Skip to content

Scan Antrea Docker image for vulnerabilities every day #637

Scan Antrea Docker image for vulnerabilities every day

Scan Antrea Docker image for vulnerabilities every day #637

Workflow file for this run

name: Scan Antrea Docker image for vulnerabilities every day
on:
schedule:
# every day at 10am
- cron: '0 10 * * *'
workflow_dispatch:
inputs:
# This is useful for testing an arbitrary released version of Antrea.
# If left unset, we will use the latest release (obtained using the Github API).
antrea-version:
description: 'The released Antrea version to scan'
type: string
required: false
jobs:
build:
if: github.repository == 'antrea-io/antrea'
runs-on: ubuntu-latest
steps:
- name: Find greatest Antrea version
id: find-antrea-greatest-version
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION=${{ inputs.antrea-version }}
if [ -z "$VERSION" ]; then
VERSION=$(gh api /repos/antrea-io/antrea/releases/latest --jq '.tag_name')
fi
echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT
- name: Pull Antrea Docker images
id: pull
run: |
docker pull antrea/antrea-agent-ubuntu:latest
docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
docker pull antrea/antrea-controller-ubuntu:latest
docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
- name: Run Trivy vulnerability scanner on latest antrea-agent Docker image
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/trivy-action@0.28.0
# we cannot use .trivy.yml as we need to override some config parameters
# and that is not supported by aquasecurity/trivy-action
with:
scan-type: 'image'
image-ref: 'antrea/antrea-agent-ubuntu:latest'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.agent.latest.txt'
- name: Run Trivy vulnerability scanner on latest antrea-controller Docker image
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/trivy-action@0.28.0
# we cannot use .trivy.yml as we need to override some config parameters
# and that is not supported by aquasecurity/trivy-action
with:
scan-type: 'image'
image-ref: 'antrea/antrea-controller-ubuntu:latest'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.controller.latest.txt'
- name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.agent.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
- name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.controller.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
- name: Upload Trivy scan reports
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: actions/upload-artifact@v4
with:
name: trivy-scan-reports
path: trivy.*.txt
retention-days: 90 # max value
skip:
if: github.repository != 'antrea-io/antrea'
runs-on: ubuntu-latest
steps:
- name: Skip
run: |
echo "Skipping image scan because workflow cannot be run from fork"