Skip to content

Scan Antrea Docker image for vulnerabilities every day #329

Scan Antrea Docker image for vulnerabilities every day

Scan Antrea Docker image for vulnerabilities every day #329

Workflow file for this run

name: Scan Antrea Docker image for vulnerabilities every day
on:
schedule:
# every day at 10am
- cron: '0 10 * * *'
workflow_dispatch:
inputs:
# This is useful for testing an arbitrary released version of Antrea.
# If left unset, we will use the latest release (obtained using the Github API).
antrea-version:
description: 'The released Antrea version to scan'
type: string
required: false
jobs:
build:
if: github.repository == 'antrea-io/antrea'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Find greatest Antrea version
id: find-antrea-greatest-version
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION=${{ inputs.antrea-version }}
if [ -z "$VERSION" ]; then
VERSION=$(gh api /repos/antrea-io/antrea/releases/latest --jq '.tag_name')
fi
echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT
- name: Pull Antrea Docker images
id: pull
run: |
docker pull antrea/antrea-ubuntu:latest
docker pull antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
- name: Run Trivy vulnerability scanner on latest Antrea Docker image
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/[email protected]
# we cannot use .trivy.yml as we need to override some config parameters
# and that is not supported by aquasecurity/trivy-action
with:
scan-type: 'image'
image-ref: 'antrea/antrea-ubuntu:latest'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
# whereabouts project doesn't upgrade dependencies frequently
skip-files: '/opt/cni/bin/whereabouts'
format: 'table'
output: 'trivy.latest.txt'
- name: Run Trivy vulnerability scanner on Antrea Docker image for latest released version
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
image-ref: 'antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
skip-files: '/opt/cni/bin/whereabouts'
format: 'table'
output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
- name: Upload Trivy scan reports
if: ${{ always() && steps.pull.conclusion == 'success' }}
uses: actions/upload-artifact@v4
with:
name: trivy-scan-reports
path: trivy.*.txt
retention-days: 90 # max value
skip:
if: github.repository != 'antrea-io/antrea'
runs-on: ubuntu-latest
steps:
- name: Skip
run: |
echo "Skipping image scan because workflow cannot be run from fork"