Skip to content

scan

scan #143

Workflow file for this run

name: scan
on:
workflow_dispatch:
schedule:
- cron: '00 3 * * 1-5' # every weekday at 3am UTC
permissions:
contents: read
env:
REGISTRY: docker.io
jobs:
get-image-version:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
sc: ${{ steps.version.outputs.sc }}
kc: ${{ steps.version.outputs.kc }}
hc: ${{ steps.version.outputs.hc }}
nc: ${{ steps.version.outputs.nc }}
irc: ${{ steps.version.outputs.irc }}
iac: ${{ steps.version.outputs.iac }}
flux2: ${{ steps.version.outputs.flux2 }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Get image version
id: version
run: |
LATEST=$(curl -fsSL -H "Authorization: token ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}" https://api.github.com/repos/weaveworks/weave-assured-flux/releases/latest | grep tag_name | cut -d '"' -f 4)
if [[ -z "$LATEST" ]]; then
echo "Unable to determine Weave Assured Flux version"
exit 1
fi
oras pull ghcr.io/weaveworks/flux-images-digests:$LATEST
source ./ghcr.io/flux-system/image_digests
echo "sc=${SOURCE_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "kc=${KUSTOMIZE_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "hc=${HELM_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "nc=${NOTIFICATION_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "irc=${IMAGE_REFLECTOR_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "iac=${IMAGE_AUTOMATION_CONTROLLER_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
echo "flux2=${FLUX_CLI_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
scan-trivy:
runs-on: ubuntu-latest
needs: get-image-version
steps:
- name: Scan source-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Scan kustomize-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Scan helm-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Scan notification-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Scan image-reflector-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Scan image-automation-controller image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Scan flux2 image Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
scan-docker-scout:
runs-on: ubuntu-latest
needs: get-image-version
steps:
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@v2.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Scan source-controller image
uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2
with:
command: cves
image: 'ghcr.io/weaveworks/source-controller@${{ needs.get-image-version.outputs.sc }}'
only-severities: critical,high
exit-code: true
- name: Scan kustomize-controller image
uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2
with:
command: cves
image: 'ghcr.io/weaveworks/kustomize-controller@${{ needs.get-image-version.outputs.kc }}'
only-severities: critical,high
exit-code: true
- name: Scan helm-controller image
uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2
with:
command: cves
image: 'ghcr.io/weaveworks/helm-controller@${{ needs.get-image-version.outputs.hc }}'
only-severities: critical,high
exit-code: true
- name: Scan notification-controller image
uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2
with:
command: cves
image: 'ghcr.io/weaveworks/notification-controller@${{ needs.get-image-version.outputs.nc }}'
only-severities: critical,high
exit-code: true
- name: Scan image-reflector-controller image
uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2
with:
command: cves
image: 'ghcr.io/weaveworks/image-reflector-controller@${{ needs.get-image-version.outputs.irc }}'
only-severities: critical,high
exit-code: true
- name: Scan image-automation-controller image
uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2
with:
command: cves
image: 'ghcr.io/weaveworks/image-automation-controller@${{ needs.get-image-version.outputs.iac }}'
only-severities: critical,high
exit-code: true
- name: Scan flux2 image
uses: docker/scout-action@b7413c99043c2a9131c0fa39cedaece80f285788 # v1.2.2
with:
command: cves
image: 'ghcr.io/weaveworks/flux-cli@${{ needs.get-image-version.outputs.flux2 }}'
only-severities: critical,high
exit-code: true