-
Notifications
You must be signed in to change notification settings - Fork 11
56 lines (54 loc) · 2.03 KB
/
trivy-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: "Kuberpult Vulberability Scanning"
on:
workflow_call:
inputs:
trigger:
required: true
type: string
description: 'The trigger which calls the workflow, one of [pull-request, main, tag]'
jobs:
trivy:
runs-on: ubuntu-latest
env:
IMAGE_REGISTRY: europe-west3-docker.pkg.dev/fdc-public-docker-registry/kuberpult
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install earthly
uses: earthly/actions-setup@v1
with:
version: v0.8.13
- name: Setup Image tag
if: inputs.trigger == 'pull-request' || inputs.trigger == 'main'
run: |
if [[ ${{ inputs.trigger }} == "pull-request" ]]; then
echo "IMAGE_TAG_KUBERPULT=pr-$(make version)" >> $GITHUB_ENV
elif [[ ${{ inputs.trigger }} == "main" ]]; then
echo "IMAGE_TAG_KUBERPULT=main-$(make version)" >> $GITHUB_ENV
fi
- name: Check if tag exists
if: inputs.trigger == 'pull-request' || inputs.trigger == 'main'
run: |
if ! docker manifest inspect ${IMAGE_REGISTRY}/kuberpult-cd-service:${IMAGE_TAG_KUBERPULT} > /dev/null; then
echo "No valid images found in the registry for the backend service"
exit 1
fi
if ! docker manifest inspect ${IMAGE_REGISTRY}/kuberpult-frontend-service:${IMAGE_TAG_KUBERPULT} > /dev/null; then
echo "No valid images found in the registry for the frontend service"
exit 1
fi
if ! docker manifest inspect ${IMAGE_REGISTRY}/kuberpult-rollout-service:${IMAGE_TAG_KUBERPULT} > /dev/null; then
echo "No valid images found in the registry for the rollout service"
exit 1
fi
- name: Run trivy scan
run: |
cd trivy
earthly +scan-all --kuberpult_version="$IMAGE_TAG_KUBERPULT" --trigger=${{ inputs.trigger }}
- name: Archive reports
uses: actions/upload-artifact@v4
with:
name: vulnerability-report
path: trivy/kuberpult*.tar.gz