scan #32

Workflow file for this run

	name: scan

	on:
	workflow_dispatch:
	schedule:
	- cron: '00 3 * * 1-5' # every weekday at 3am UTC

	permissions:
	contents: read

	env:
	REGISTRY: docker.io

	jobs:
	get-image-version:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	outputs:
	sc: ${{ steps.version.outputs.sc }}
	kc: ${{ steps.version.outputs.kc }}
	hc: ${{ steps.version.outputs.hc }}
	nc: ${{ steps.version.outputs.nc }}
	irc: ${{ steps.version.outputs.irc }}
	iac: ${{ steps.version.outputs.iac }}
	flux2: ${{ steps.version.outputs.flux2 }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Get image version
	id: version
	run: \|
	LATEST=$(curl -fsSL -H "Authorization: token ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}" https://api.github.com/repos/weaveworks/weave-assured-flux/releases/latest \| grep tag_name \| cut -d '"' -f 4)
	if [[ -z "$LATEST" ]]; then
	echo "Unable to determine Weave Assured Flux version"
	exit 1
	fi

	oras pull ghcr.io/weaveworks/flux-images-digests:$LATEST
	source image_digests
	echo "sc=${SOURCE_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
	echo "kc=${KUSTOMIZE_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
	echo "hc=${HELM_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
	echo "nc=${NOTIFICATION_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
	echo "irc=${IMAGE_REFLECTOR_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
	echo "iac=${IMAGE_AUTOMATION_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
	echo "flux2=${FLUX_CLI_IMAGE_DIGEST}" >> $GITHUB_OUTPUT

	scan-trivy:
	runs-on: ubuntu-latest
	needs: get-image-version
	steps:
	- name: Scan source-controller image
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	- name: Scan kustomize-controller image
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	- name: Scan helm-controller image
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	- name: Scan notification-controller image
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	- name: Scan image-reflector-controller image
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	- name: Scan image-automation-controller image
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	- name: Scan flux2 image Trivy
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'

	scan-docker-scout:
	runs-on: ubuntu-latest
	needs: get-image-version
	steps:
	- name: Log into registry ${{ env.REGISTRY }}
	uses: docker/login-action@v2.1.0
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ secrets.DOCKER_USER }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	- name: Scan source-controller image
	uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
	with:
	command: cves
	image: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}'
	only-severities: critical,high
	exit-code: true
	- name: Scan kustomize-controller image
	uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
	with:
	command: cves
	image: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}'
	only-severities: critical,high
	exit-code: true
	- name: Scan helm-controller image
	uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
	with:
	command: cves
	image: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}'
	only-severities: critical,high
	exit-code: true
	- name: Scan notification-controller image
	uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
	with:
	command: cves
	image: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}'
	only-severities: critical,high
	exit-code: true
	- name: Scan image-reflector-controller image
	uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
	with:
	command: cves
	image: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}'
	only-severities: critical,high
	exit-code: true
	- name: Scan image-automation-controller image
	uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
	with:
	command: cves
	image: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}'
	only-severities: critical,high
	exit-code: true
	- name: Scan flux2 image
	uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
	with:
	command: cves
	image: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}'
	only-severities: critical,high
	exit-code: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

scan #32

Workflow file

scan #32

Jobs

Run details

Workflow file for this run