Merge pull request #1908 from k8s-infra-cherrypick-robot/cherry-pick-…

…1901-to-release-1.6 🌱 [release-1.6] add periodic Github job for trivy scanning
kubernetes-sigs · Jul 11, 2023 · d68fdbd · d68fdbd
2 parents 18f9738 + 64d72a6
commit d68fdbd
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 1 deletion.
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -0,0 +1,32 @@
+name: scan-images
+
+on:
+  schedule:
+    # Cron for every Monday at 12:00 UTC.
+    - cron: "0 12 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  scan:
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.6, release-1.5 ]
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # tag=v3.5.2
+        with:
+          ref: ${{ matrix.branch }}
+      - name: Calculate go version
+        id: vars
+        run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+      - name: Set up Go
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # tag=v3.5.0
+        with:
+          go-version: ${{ steps.vars.outputs.go_version }}
+      - name: Run verify container script
+        run: make verify-container-images
diff --git a/Makefile b/Makefile
@@ -22,6 +22,7 @@ SHELL := /usr/bin/env bash
 
 VERSION ?= $(shell cat clusterctl-settings.json | jq .config.nextVersion -r)
 
+GO_VERSION ?=1.19.3
 # Use GOPROXY environment variable if set
 GOPROXY := $(shell go env GOPROXY)
 ifeq (,$(strip $(GOPROXY)))
@@ -422,6 +423,10 @@ verify-modules: modules  ## Verify go modules are up to date
 verify-conversions: $(CONVERSION_VERIFIER)  ## Verifies expected API conversion are in place
 	$(CONVERSION_VERIFIER)
 
+.PHONY: verify-container-images
+verify-container-images: ## Verify container images
+	TRACE=$(TRACE) ./hack/verify-container-images.sh
+
 .PHONY: release-flavors ## Create release flavor manifests
 release-flavors: release-version-check
 	$(MAKE) generate-flavors FLAVOR_DIR=$(RELEASE_DIR)
@@ -485,7 +490,7 @@ check: ## Verify and lint the project
 .PHONY: docker-build
 docker-build: ## Build the docker image for controller-manager
 	docker buildx build --platform linux/$(ARCH) --output=type=docker \
-		--pull --build-arg ldflags="$(LDFLAGS)" \
+		--pull --build-arg ldflags="$(LDFLAGS)" --build-arg GOLANG_VERSION=golang:$(GO_VERSION) \
 		-t $(DEV_CONTROLLER_IMG):$(DEV_TAG) .
 
 .PHONY: docker-push
@@ -495,3 +500,6 @@ docker-push: ## Push the docker image
 		--pull --build-arg ldflags="$(LDFLAGS)" \
 		-t $(DEV_CONTROLLER_IMG):$(DEV_TAG) .
 	docker buildx rm capv
+
+go-version: ## Print the go version we use to compile our binaries and images
+	@echo $(GO_VERSION)
diff --git a/hack/verify-container-images.sh b/hack/verify-container-images.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+# Copyright 2023 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [[ "${TRACE-0}" == "1" ]]; then
+    set -o xtrace
+fi
+
+TRIVY_VERSION=0.34.0
+
+GO_OS="$(go env GOOS)"
+if [[ "${GO_OS}" == "linux" ]]; then
+  TRIVY_OS="Linux"
+elif [[ "${GO_OS}" == "darwin"* ]]; then
+  TRIVY_OS="macOS"
+fi
+
+GO_ARCH="$(go env GOARCH)"
+if [[ "${GO_ARCH}" == "amd" ]]; then
+  TRIVY_ARCH="32bit"
+elif [[ "${GO_ARCH}" == "amd64"* ]]; then
+  TRIVY_ARCH="64bit"
+elif [[ "${GO_ARCH}" == "arm" ]]; then
+  TRIVY_ARCH="ARM"
+elif [[ "${GO_ARCH}" == "arm64" ]]; then
+  TRIVY_ARCH="ARM64"
+fi
+
+TOOL_BIN=hack/tools/bin
+mkdir -p ${TOOL_BIN}
+
+# Downloads trivy scanner
+curl -L -o ${TOOL_BIN}/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz"
+
+tar -xf "${TOOL_BIN}/trivy.tar.gz" -C "${TOOL_BIN}" trivy
+chmod +x ${TOOL_BIN}/trivy
+rm ${TOOL_BIN}/trivy.tar.gz
+
+# Builds all the container images to be scanned
+make DEV_REGISTRY="gcr.io/cluster-api-provider-vsphere" PULL_POLICY=IfNotPresent DEV_TAG="dev" docker-build
+
+# Scan the images
+${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/cluster-api-provider-vsphere/vsphere-manager:dev && R1=$? || R1=$?
+
+echo ""
+BRed='\033[1;31m'
+BGreen='\033[1;32m'
+NC='\033[0m' # No
+
+if [ "$R1" -ne "0" ]
+then
+  echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}"
+  exit 1
+fi
+
+echo -e "${BGreen}Check container images passed! No vulnerability found${NC}"