This repository has been archived by the owner on Sep 3, 2024. It is now read-only.
scan #355
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: scan | |
on: | |
schedule: | |
- cron: "0 10 * * *" # 10 UTC | |
workflow_dispatch: | |
inputs: | |
GCLOUD_TABLE: | |
description: "gcloud bigquery table to publish results to" | |
required: true | |
default: "scheduled" | |
env: | |
REF: "ghcr.io/chainguard-dev/rumble:latest" | |
GCLOUD_PROJECT: ${{ secrets.GCLOUD_PROJECT }} | |
GCLOUD_DATASET: ${{ secrets.GCLOUD_DATASET }} | |
GCLOUD_TABLE: ${{ inputs.GCLOUD_TABLE || 'scheduled' }} | |
GCLOUD_TABLE_VULNS: ${{ secrets.GCLOUD_TABLE_VULNS }} | |
GOOGLE_APPLICATION_CREDENTIALS_BASE64: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_BASE64 }} | |
concurrency: scan | |
jobs: | |
generate-matrix-chainguard: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
outputs: | |
images: ${{ steps.list-images.outputs.images }} | |
steps: | |
- uses: chainguard-dev/actions/setup-chainctl@main | |
with: | |
# This identity allows us to list the public Chainguard images. | |
identity: 720909c9f5279097d847ad02a2f24ba8f59de36a/a033a6fabe0bfa0d | |
- id: list-images | |
run: | | |
image_list="$(chainctl img ls --group 720909c9f5279097d847ad02a2f24ba8f59de36a -o json)" | |
unwanted_images=("alpine-base" "k3s-images" "nri-kube-events" "nri-kubernetes" "nri-prometheus" "sdk" "source-controller" "spire") | |
for img in ${unwanted_images[@]}; do | |
image_list=$(echo "$image_list" | jq "map(select(.repo.name != \"$img\"))") | |
done | |
echo images=$(echo $image_list | jq -c '[ .[] | select(.tags[].name | contains("latest")) | "cgr.dev/chainguard/" + .repo.name + ":latest" ] | unique') >> $GITHUB_OUTPUT | |
scan-chainguard: | |
runs-on: ubuntu-latest | |
needs: generate-matrix-chainguard | |
outputs: | |
success: ${{ steps.rumble-chainguard.outputs.success }} | |
strategy: | |
fail-fast: false | |
matrix: | |
image: ${{ fromJson(needs.generate-matrix-chainguard.outputs.images) }} | |
permissions: | |
id-token: write | |
packages: write | |
contents: read | |
steps: | |
- name: Run rumble on image | |
id: rumble-chainguard | |
run: | | |
set -x | |
echo "${GOOGLE_APPLICATION_CREDENTIALS_BASE64}" | base64 -d > google-creds.json | |
echo "Scanning: ${{ matrix.image }}" | |
env > github.env | |
echo "GOOGLE_APPLICATION_CREDENTIALS=/google-creds.json" >> github.env | |
for scanner in "grype" "trivy"; do | |
docker run --rm \ | |
-v "${PWD}/google-creds.json":/google-creds.json \ | |
--env-file github.env \ | |
"${REF}" \ | |
-image "${{ matrix.image }}" \ | |
-scanner "${scanner}" \ | |
-syft | |
done | |
- uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 | |
if: ${{ failure() }} | |
id: slack | |
with: | |
payload: '{"text": "[scan] failed for chainguard image ${{ matrix.image }}: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
generate-matrix-external: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.generate-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 | |
- id: generate-matrix | |
run: | | |
set -x | |
echo '{"include":[]}' > matrix.json | |
while read name | |
do | |
cat matrix.json | jq '.include += [{ref: "'${name}'"}]' > matrix.json.tmp | |
mv matrix.json.tmp matrix.json | |
done < images.txt | |
cat matrix.json | jq | |
echo "matrix=$(cat matrix.json | jq -c -M)" >> $GITHUB_OUTPUT | |
scan-external: | |
runs-on: ubuntu-latest | |
needs: generate-matrix-external | |
outputs: | |
success: ${{ steps.rumble-external.outputs.success }} | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJson(needs.generate-matrix-external.outputs.matrix) }} | |
permissions: | |
id-token: write | |
packages: write | |
contents: read | |
steps: | |
- name: Run rumble on image | |
id: rumble-external | |
run: | | |
set -x | |
echo "${GOOGLE_APPLICATION_CREDENTIALS_BASE64}" | base64 -d > google-creds.json | |
echo "Scanning: ${{ matrix.ref }}" | |
env > github.env | |
echo "GOOGLE_APPLICATION_CREDENTIALS=/google-creds.json" >> github.env | |
for scanner in "grype" "trivy"; do | |
docker run --rm \ | |
-v "${PWD}/google-creds.json":/google-creds.json \ | |
--env-file github.env \ | |
"${REF}" \ | |
-image "${{ matrix.ref }}" \ | |
-scanner "${scanner}" \ | |
-syft | |
done | |
- uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 | |
if: ${{ failure() }} | |
id: slack | |
with: | |
payload: '{"text": "[scan] failed for external image ${{ matrix.ref }}: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |