Scan images #477
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan images | |
| on: | |
| schedule: | |
| # every day at 1:12AM UTC | |
| - cron: '12 1 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| get-images: | |
| name: Get images | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| # specify location of bundle(s) to be scanned | |
| bundle: | |
| - releases/1.8/stable/kubeflow | |
| - releases/1.9/stable | |
| - releases/latest/edge | |
| steps: | |
| - name: Clone and checkout canonical/kubeflow-ci | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: canonical/kubeflow-ci.git | |
| sparse-checkout: scripts/images/ | |
| ref: main | |
| path: /tmp/kubeflow-ci | |
| - name: Run get-all-images.py | |
| working-directory: /tmp/kubeflow-ci | |
| run: | | |
| BUNDLE="${{ matrix.bundle }}" | |
| BUNDLE_SPLIT=(${BUNDLE//\// }) | |
| RELEASE=${BUNDLE_SPLIT[1]} | |
| RISK=${BUNDLE_SPLIT[2]} | |
| pip3 install -r scripts/requirements.txt | |
| python3 scripts/get-all-images.py ${{ matrix.bundle }}/bundle.yaml > /tmp/image_list.txt | |
| echo "Image list:" | |
| cat /tmp/image_list.txt | |
| echo "release_risk=${RELEASE}-${RISK}" >> $GITHUB_OUTPUT | |
| # Output the images as an array that can be used in the matrix strategy of the next step | |
| # This array contains all the images from /tmp/image_list.txt | |
| sudo snap install jq | |
| DATA=$(cat images.txt | jq -R -s -c 'split("\n")[:-1]') | |
| echo "matrix=$DATA" >> "$GITHUB_OUTPUT" | |
| # scan-images: | |
| # name: Scan images in bundle | |
| # runs-on: ubuntu-22.04 | |
| # steps: | |
| # - name: Checkout | |
| # uses: actions/checkout@v3 | |
| # with: | |
| # fetch-depth: 0 | |
| # | |
| # - name: Setup tools | |
| # id: setup | |
| # run: | | |
| # sudo snap install yq | |
| # echo "date=$(date '+%Y-%m-%d-%H-%M-%S')" >> $GITHUB_OUTPUT | |
| # | |
| # | |
| # | |
| # - name: Run Trivy vulnerability scanner | |
| # uses: aquasecurity/[email protected] | |
| # with: | |
| # image-ref: ${{ matrix.image }} | |
| # output: ${{ format('/tmp/trivy-reports/{0}.json', matrix.image) }} | |
| # format: 'json' | |
| # exit-code: '1' | |
| # ignore-unfixed: true | |
| # severity: 'CRITICAL,HIGH' | |
| # strategy: | |
| # matrix: | |
| # image: ${{ fromJSON(needs.images.outputs.matrix) }} | |
| # | |
| # - name: Prepare artifacts | |
| # run: | | |
| # tar zcvf trivy-reports-${{ steps.setup.outputs.date}}-${{ steps.images.outputs.release_risk }}-${{ strategy.job-index }}.tar.gz /tmp/trivy-reports | |
| # | |
| # - name: Upload Trivy reports | |
| # uses: actions/upload-artifact@v3 | |
| # with: | |
| # name: trivy-reports | |
| # path: trivy-reports-${{ steps.setup.outputs.date}}-${{ steps.images.outputs.release_risk }}-${{ strategy.job-index }}.tar.gz | |
| # - name: Upload summary | |
| # uses: actions/upload-artifact@v3 | |
| # with: | |
| # name: summary | |
| # path: scan-summary-${{ steps.setup.outputs.date}}-${{ steps.images.outputs.release_risk }}.csv |