Scan Antrea Docker image for vulnerabilities every day #578
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scan Antrea Docker image for vulnerabilities every day | |
on: | |
schedule: | |
# every day at 10am | |
- cron: '0 10 * * *' | |
workflow_dispatch: | |
inputs: | |
# This is useful for testing an arbitrary released version of Antrea. | |
# If left unset, we will use the latest release (obtained using the Github API). | |
antrea-version: | |
description: 'The released Antrea version to scan' | |
type: string | |
required: false | |
no-cache: | |
description: 'Do not use a cached Trivy DB' | |
type: boolean | |
default: false | |
jobs: | |
build: | |
if: github.repository == 'antrea-io/antrea' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Find greatest Antrea version | |
id: find-antrea-greatest-version | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
VERSION=${{ inputs.antrea-version }} | |
if [ -z "$VERSION" ]; then | |
VERSION=$(gh api /repos/antrea-io/antrea/releases/latest --jq '.tag_name') | |
fi | |
echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT | |
- name: Pull Antrea Docker images | |
id: pull | |
run: | | |
docker pull antrea/antrea-agent-ubuntu:latest | |
docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} | |
docker pull antrea/antrea-controller-ubuntu:latest | |
docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} | |
- name: Install Trivy | |
uses: aquasecurity/setup-trivy@v0.2.2 | |
- name: Get current UTC date | |
id: date | |
run: echo "date=$(date -u +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
- name: Restore Trivy DB cache | |
if: ${{ !inputs.no-cache }} | |
id: restore-db-cache | |
uses: actions/cache/restore@v4 | |
with: | |
path: ${{ github.workspace }}/.cache/trivy | |
key: cache-trivy-db-${{ steps.date.outputs.date }} | |
restore-keys: cache-trivy-db- | |
- name: Download Trivy DB | |
# We download the DB at most once a day, when there is no cache hit. | |
if: ${{ inputs.no-cache || steps.restore-db-cache.outputs.cache-hit != 'true' }} | |
# Try downloading the vulnerability DB up to 5 times, to account for TOOMANYREQUESTS errors. | |
# Need to specify the correct location for the download (using --cache-dir), so that | |
# aquasecurity/trivy-action can find it. | |
run: | | |
for i in {1..5}; do trivy image --download-db-only --cache-dir $GITHUB_WORKSPACE/.cache/trivy && break || sleep 1; done | |
- name: Save Trivy DB cache | |
if: ${{ !inputs.no-cache && steps.restore-db-cache.outputs.cache-hit != 'true' }} | |
uses: actions/cache/save@v4 | |
with: | |
path: ${{ github.workspace }}/.cache/trivy | |
key: ${{ steps.restore-db-cache.outputs.cache-primary-key }} | |
- name: Run Trivy vulnerability scanner on latest antrea-agent Docker image | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: aquasecurity/trivy-action@0.29.0 | |
# we cannot use .trivy.yml as we need to override some config parameters | |
# and that is not supported by aquasecurity/trivy-action | |
with: | |
scan-type: 'image' | |
image-ref: 'antrea/antrea-agent-ubuntu:latest' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'table' | |
output: 'trivy.agent.latest.txt' | |
skip-setup-trivy: true | |
# Skip caching, as we do it manually when we download the DB in the previous step. | |
cache: 'false' | |
env: | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
- name: Run Trivy vulnerability scanner on latest antrea-controller Docker image | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: aquasecurity/trivy-action@0.29.0 | |
# we cannot use .trivy.yml as we need to override some config parameters | |
# and that is not supported by aquasecurity/trivy-action | |
with: | |
scan-type: 'image' | |
image-ref: 'antrea/antrea-controller-ubuntu:latest' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'table' | |
output: 'trivy.controller.latest.txt' | |
skip-setup-trivy: true | |
cache: 'false' | |
env: | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
- name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: aquasecurity/trivy-action@0.29.0 | |
with: | |
scan-type: 'image' | |
image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'table' | |
output: 'trivy.agent.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt' | |
skip-setup-trivy: true | |
cache: 'false' | |
env: | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
- name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: aquasecurity/trivy-action@0.29.0 | |
with: | |
scan-type: 'image' | |
image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'table' | |
output: 'trivy.controller.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt' | |
skip-setup-trivy: true | |
cache: 'false' | |
env: | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
- name: Upload Trivy scan reports | |
if: ${{ always() && steps.pull.conclusion == 'success' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: trivy-scan-reports | |
path: trivy.*.txt | |
retention-days: 90 # max value | |
skip: | |
if: github.repository != 'antrea-io/antrea' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Skip | |
run: | | |
echo "Skipping image scan because workflow cannot be run from fork" |