Use trivy to scan the container images (#41)

* Use trivy to scan the container images * Use alpine:3.11 instead of the latest one
kubesphere · Dec 24, 2021 · 846f222 · 846f222
1 parent 8a45b10
commit 846f222
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 11 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -27,9 +27,7 @@ jobs:
           type=schedule
           type=ref,event=branch
           type=ref,event=pr
-          type=semver,pattern=v{{version}}
-          type=semver,pattern=v{{major}}.{{minor}}
-          type=semver,pattern=v{{major}}
+          type=semver,pattern={{raw}}
           type=sha
     - name: Docker meta for Contributors
       id: metaContributors
@@ -42,9 +40,7 @@ jobs:
           type=schedule
           type=ref,event=branch
           type=ref,event=pr
-          type=semver,pattern=v{{version}}
-          type=semver,pattern=v{{major}}.{{minor}}
-          type=semver,pattern=v{{major}}
+          type=semver,pattern={{raw}}
           type=sha
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1
@@ -63,23 +59,49 @@ jobs:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GHCR_TOKEN }}
+    - name: Build env
+      id: build_env
+      run: |
+        if [ "${{ github.event_name }}" == "pull_request" ]
+        then
+            echo "::set-output name=platforms::linux/amd64"
+            echo "::set-output name=push::false"
+            echo "::set-output name=load::true"
+        else
+            echo "::set-output name=platforms::linux/amd64,linux/arm64"
+            echo "::set-output name=push::true"
+            echo "::set-output name=load::false"
+        fi
+        echo "::set-output name=short_sha::${GITHUB_SHA::7}"
     - name: Build and push Docker images
       uses: docker/build-push-action@v2.4.0
       if: github.repository_owner == 'kubesphere'
       with:
         context: .
         file: Dockerfile
         tags: ${{ steps.meta.outputs.tags }}
-        push: ${{ github.event_name != 'pull_request' }}
+        push: ${{ steps.build_env.outputs.push }}
+        load: ${{ steps.build_env.outputs.load }}
         labels: ${{ steps.meta.outputs.labels }}
-        platforms: linux/amd64,linux/arm64
+        platforms: ${{ steps.build_env.outputs.platforms }}
     - name: Build and push Docker images for Contributors
       uses: docker/build-push-action@v2.4.0
       if: github.repository_owner != 'kubesphere'
       with:
         context: .
         file: Dockerfile
         tags: ${{ steps.metaContributors.outputs.tags }}
-        push: ${{ github.event_name != 'pull_request' }}
+        push: ${{ steps.build_env.outputs.push }}
+        load: ${{ steps.build_env.outputs.load }}
         labels: ${{ steps.metaContributors.outputs.labels }}
-        platforms: linux/amd64,linux/arm64
+        platforms: ${{ steps.build_env.outputs.platforms }}
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.2.0
+      if: github.event_name == 'pull_request'
+      with:
+        image-ref: 'ghcr.io/${{ github.repository_owner }}/s2irun:sha-${{ steps.build_env.outputs.short_sha }}'
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
diff --git a/Dockerfile b/Dockerfile
@@ -8,7 +8,7 @@ COPY vendor/ vendor/
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o builder github.com/kubesphere/s2irun/cmd
 
-FROM alpine:latest
+FROM alpine:3.11
 
 WORKDIR /root/