From 846f2220a96fb807844008753472896cda07571f Mon Sep 17 00:00:00 2001
From: Rick <1450685+LinuxSuRen@users.noreply.github.com>
Date: Fri, 24 Dec 2021 11:37:19 +0800
Subject: [PATCH] Use trivy to scan the container images (#41)

* Use trivy to scan the container images

* Use alpine:3.11 instead of the latest one
---
 .github/workflows/build.yaml | 42 +++++++++++++++++++++++++++---------
 Dockerfile                   |  2 +-
 2 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 0d7e71d7..e68c1f8a 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -27,9 +27,7 @@ jobs:
           type=schedule
           type=ref,event=branch
           type=ref,event=pr
-          type=semver,pattern=v{{version}}
-          type=semver,pattern=v{{major}}.{{minor}}
-          type=semver,pattern=v{{major}}
+          type=semver,pattern={{raw}}
           type=sha
     - name: Docker meta for Contributors
       id: metaContributors
@@ -42,9 +40,7 @@ jobs:
           type=schedule
           type=ref,event=branch
           type=ref,event=pr
-          type=semver,pattern=v{{version}}
-          type=semver,pattern=v{{major}}.{{minor}}
-          type=semver,pattern=v{{major}}
+          type=semver,pattern={{raw}}
           type=sha
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1
@@ -63,6 +59,20 @@ jobs:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GHCR_TOKEN }}
+    - name: Build env
+      id: build_env
+      run: |
+        if [ "${{ github.event_name }}" == "pull_request" ]
+        then
+            echo "::set-output name=platforms::linux/amd64"
+            echo "::set-output name=push::false"
+            echo "::set-output name=load::true"
+        else
+            echo "::set-output name=platforms::linux/amd64,linux/arm64"
+            echo "::set-output name=push::true"
+            echo "::set-output name=load::false"
+        fi
+        echo "::set-output name=short_sha::${GITHUB_SHA::7}"
     - name: Build and push Docker images
       uses: docker/build-push-action@v2.4.0
       if: github.repository_owner == 'kubesphere'
@@ -70,9 +80,10 @@ jobs:
         context: .
         file: Dockerfile
         tags: ${{ steps.meta.outputs.tags }}
-        push: ${{ github.event_name != 'pull_request' }}
+        push: ${{ steps.build_env.outputs.push }}
+        load: ${{ steps.build_env.outputs.load }}
         labels: ${{ steps.meta.outputs.labels }}
-        platforms: linux/amd64,linux/arm64
+        platforms: ${{ steps.build_env.outputs.platforms }}
     - name: Build and push Docker images for Contributors
       uses: docker/build-push-action@v2.4.0
       if: github.repository_owner != 'kubesphere'
@@ -80,6 +91,17 @@ jobs:
         context: .
         file: Dockerfile
         tags: ${{ steps.metaContributors.outputs.tags }}
-        push: ${{ github.event_name != 'pull_request' }}
+        push: ${{ steps.build_env.outputs.push }}
+        load: ${{ steps.build_env.outputs.load }}
         labels: ${{ steps.metaContributors.outputs.labels }}
-        platforms: linux/amd64,linux/arm64
+        platforms: ${{ steps.build_env.outputs.platforms }}
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.2.0
+      if: github.event_name == 'pull_request'
+      with:
+        image-ref: 'ghcr.io/${{ github.repository_owner }}/s2irun:sha-${{ steps.build_env.outputs.short_sha }}'
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
diff --git a/Dockerfile b/Dockerfile
index 996cc103..baf0569c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,7 @@ COPY vendor/ vendor/
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o builder github.com/kubesphere/s2irun/cmd
 
-FROM alpine:latest
+FROM alpine:3.11
 
 WORKDIR /root/