Skip to content

Scan Antrea Docker image for vulnerabilities every day #578

Scan Antrea Docker image for vulnerabilities every day

Scan Antrea Docker image for vulnerabilities every day #578

Workflow file for this run

name: Scan Antrea Docker image for vulnerabilities every day
on:
schedule:
# every day at 10am
- cron: '0 10 * * *'
workflow_dispatch:
inputs:
# This is useful for testing an arbitrary released version of Antrea.
# If left unset, we will use the latest release (obtained using the Github API).
antrea-version:
description: 'The released Antrea version to scan'
type: string
required: false
no-cache:
description: 'Do not use a cached Trivy DB'
type: boolean
default: false
jobs:
build:
if: github.repository == 'antrea-io/antrea'
runs-on: ubuntu-latest
steps:
- name: Find greatest Antrea version
id: find-antrea-greatest-version
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION=${{ inputs.antrea-version }}
if [ -z "$VERSION" ]; then
VERSION=$(gh api /repos/antrea-io/antrea/releases/latest --jq '.tag_name')
fi
echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT
- name: Pull Antrea Docker images
id: pull
run: |
docker pull antrea/antrea-agent-ubuntu:latest
docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
docker pull antrea/antrea-controller-ubuntu:latest
docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
- name: Install Trivy
uses: aquasecurity/setup-trivy@v0.2.2
- name: Get current UTC date
id: date
run: echo "date=$(date -u +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Restore Trivy DB cache
if: ${{ !inputs.no-cache }}
id: restore-db-cache
uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-db-${{ steps.date.outputs.date }}
restore-keys: cache-trivy-db-
- name: Download Trivy DB
# We download the DB at most once a day, when there is no cache hit.
if: ${{ inputs.no-cache || steps.restore-db-cache.outputs.cache-hit != 'true' }}
# Try downloading the vulnerability DB up to 5 times, to account for TOOMANYREQUESTS errors.
# Need to specify the correct location for the download (using --cache-dir), so that
# aquasecurity/trivy-action can find it.
run: |
for i in {1..5}; do trivy image --download-db-only --cache-dir $GITHUB_WORKSPACE/.cache/trivy && break || sleep 1; done
- name: Save Trivy DB cache
if: ${{ !inputs.no-cache && steps.restore-db-cache.outputs.cache-hit != 'true' }}
uses: actions/cache/save@v4
with:
path: ${{ github.workspace }}/.cache/trivy
key: ${{ steps.restore-db-cache.outputs.cache-primary-key }}
- name: Run Trivy vulnerability scanner on latest antrea-agent Docker image
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/trivy-action@0.29.0
# we cannot use .trivy.yml as we need to override some config parameters
# and that is not supported by aquasecurity/trivy-action
with:
scan-type: 'image'
image-ref: 'antrea/antrea-agent-ubuntu:latest'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.agent.latest.txt'
skip-setup-trivy: true
# Skip caching, as we do it manually when we download the DB in the previous step.
cache: 'false'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Run Trivy vulnerability scanner on latest antrea-controller Docker image
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/trivy-action@0.29.0
# we cannot use .trivy.yml as we need to override some config parameters
# and that is not supported by aquasecurity/trivy-action
with:
scan-type: 'image'
image-ref: 'antrea/antrea-controller-ubuntu:latest'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.controller.latest.txt'
skip-setup-trivy: true
cache: 'false'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/trivy-action@0.29.0
with:
scan-type: 'image'
image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.agent.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
skip-setup-trivy: true
cache: 'false'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/trivy-action@0.29.0
with:
scan-type: 'image'
image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
format: 'table'
output: 'trivy.controller.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
skip-setup-trivy: true
cache: 'false'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan reports
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: actions/upload-artifact@v4
with:
name: trivy-scan-reports
path: trivy.*.txt
retention-days: 90 # max value
skip:
if: github.repository != 'antrea-io/antrea'
runs-on: ubuntu-latest
steps:
- name: Skip
run: |
echo "Skipping image scan because workflow cannot be run from fork"