From bcf28244429782cdceccfb7d265a9e5e10212d03 Mon Sep 17 00:00:00 2001 From: zhzhuang-zju Date: Thu, 4 Jan 2024 19:40:08 +0800 Subject: [PATCH] add image scanning on pull_request Signed-off-by: zhzhuang-zju --- .../ci-image-scanning-on-pull-request.yaml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .github/workflows/ci-image-scanning-on-pull-request.yaml diff --git a/.github/workflows/ci-image-scanning-on-pull-request.yaml b/.github/workflows/ci-image-scanning-on-pull-request.yaml new file mode 100644 index 000000000000..c2b67a241f52 --- /dev/null +++ b/.github/workflows/ci-image-scanning-on-pull-request.yaml @@ -0,0 +1,45 @@ +name: image-scanning-on-pull-request +on: + pull_request: +jobs: + use-trivy-to-scan-image: + name: image scannning + # prevent job running from forked repository + if: ${{ github.repository == 'karmada-io/karmada' }} + runs-on: ubuntu-22.04 + steps: + - name: checkout code + uses: actions/checkout@v3 + - name: install Go + uses: actions/setup-go@v3 + with: + go-version: 1.20.11 + - name: Build images from Dockerfile + run: | + export VERSION="latest" + export REGISTRY="docker.io/karmada" + make images GOOS="linux" --directory=. + - name: download Trivy vulnerability scanner + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.1 + - name: Image scan + run: | + IMAGE_ARRAR=( + karmada-controller-manager + karmada-scheduler + karmada-descheduler + karmada-webhook + karmada-agent + karmada-scheduler-estimator + karmada-interpreter-webhook-example + karmada-aggregated-apiserver + karmada-search + karmada-operator + karmada-metrics-adapter + ) + for image in ${IMAGE_ARRAR[@]} + do + echo "========== Scan results of image $image ==========" + imageRef="$REGISTRY/$image:$VERSION" + trivy image --format table --ignore-unfixed --vuln-type os,library -q --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL $imageRef) + done