scan #142
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: scan | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '00 3 * * 1-5' # every weekday at 3am UTC | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: docker.io | |
| jobs: | |
| get-image-version: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| sc: ${{ steps.version.outputs.sc }} | |
| kc: ${{ steps.version.outputs.kc }} | |
| hc: ${{ steps.version.outputs.hc }} | |
| nc: ${{ steps.version.outputs.nc }} | |
| irc: ${{ steps.version.outputs.irc }} | |
| iac: ${{ steps.version.outputs.iac }} | |
| flux2: ${{ steps.version.outputs.flux2 }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Get image version | |
| id: version | |
| run: | | |
| LATEST=$(curl -fsSL -H "Authorization: token ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}" https://api.github.com/repos/weaveworks/weave-assured-flux/releases/latest | grep tag_name | cut -d '"' -f 4) | |
| if [[ -z "$LATEST" ]]; then | |
| echo "Unable to determine Weave Assured Flux version" | |
| exit 1 | |
| fi | |
| oras pull ghcr.io/weaveworks/flux-images-digests:$LATEST | |
| source ./ghcr.io/flux-system/image_digests | |
| echo "sc=${SOURCE_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
| echo "kc=${KUSTOMIZE_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
| echo "hc=${HELM_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
| echo "nc=${NOTIFICATION_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
| echo "irc=${IMAGE_REFLECTOR_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
| echo "iac=${IMAGE_AUTOMATION_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
| echo "flux2=${FLUX_CLI_IMAGE_DIGEST}" >> $GITHUB_OUTPUT | |
| scan-trivy: | |
| runs-on: ubuntu-latest | |
| needs: get-image-version | |
| steps: | |
| - name: Scan source-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan kustomize-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan helm-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan notification-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan image-reflector-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan image-automation-controller image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Scan flux2 image Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| scan-docker-scout: | |
| runs-on: ubuntu-latest | |
| needs: get-image-version | |
| steps: | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@v2.1.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Scan source-controller image | |
| uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan kustomize-controller image | |
| uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan helm-controller image | |
| uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan notification-controller image | |
| uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan image-reflector-controller image | |
| uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan image-automation-controller image | |
| uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}' | |
| only-severities: critical,high | |
| exit-code: true | |
| - name: Scan flux2 image | |
| uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2 | |
| with: | |
| command: cves | |
| image: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}' | |
| only-severities: critical,high | |
| exit-code: true |