forked from canonical/k8s-snap
-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (122 loc) · 4.59 KB
/
cron-jobs.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Security and quality nightly scan
on:
schedule:
- cron: '0 10 * * *'
permissions:
contents: read
jobs:
TICS:
permissions:
contents: read
runs-on: ubuntu-latest
strategy:
matrix:
include:
# Latest branches
- { branch: main }
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: Checking out repo
uses: actions/checkout@v4
with:
ref: ${{matrix.branch}}
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: "1.22"
- name: go mod download
working-directory: src/k8s
run: go mod download
- name: TICS scan
run: |
export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }}
set -x
# Install python dependencies
pip install -r tests/integration/requirements-test.txt
pip install -r tests/integration/requirements-dev.txt
cd src/k8s
# TICS requires us to have the test results in cobertura xml format under the
# directory use below
sudo make go.unit
go install github.com/boumenot/gocover-cobertura@latest
gocover-cobertura < coverage.txt > coverage.xml
mkdir .coverage
mv ./coverage.xml ./.coverage/
# Install the TICS and staticcheck
go install honnef.co/go/tools/cmd/[email protected]
. <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
# We need to have our project built
# We load the dqlite libs here instead of doing through make because TICS
# will try to build parts of the project itself
sudo add-apt-repository -y ppa:dqlite/dev
sudo apt install dqlite-tools libdqlite-dev -y
sudo make clean
go build -a ./...
TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $HOME/work/k8s-snap/k8s-snap/
Trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
strategy:
matrix:
include:
# Latest branches
- { branch: main, channel: latest/edge }
# Stable branches
# Add branches to test here
- { branch: release-1.30, channel: 1.30-classic/edge }
- { branch: release-1.31, channel: 1.31-classic/edge }
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: Checking out repo
uses: actions/checkout@v4
with:
ref: ${{matrix.branch}}
- name: Setup Trivy vulnerability scanner
run: |
mkdir -p sarifs
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}');
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
ignore-unfixed: true
format: "sarif"
output: "trivy-k8s-repo-scan--results.sarif"
severity: "MEDIUM,HIGH,CRITICAL"
env:
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
- name: Gather Trivy repo scan results
run: |
cp trivy-k8s-repo-scan--results.sarif ./sarifs/
- name: Run Trivy vulnerability scanner on the snap
run: |
snap download k8s --channel ${{ matrix.channel }}
mv ./k8s*.snap ./k8s.snap
unsquashfs k8s.snap
for var in $(env | grep -o '^TRIVY_[^=]*'); do
unset "$var"
done
./trivy --db-repository public.ecr.aws/aquasecurity/trivy-db rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
- name: Get HEAD sha
run: |
SHA="$(git rev-parse HEAD)"
echo "head_sha=$SHA" >> "$GITHUB_ENV"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "sarifs"
sha: ${{ env.head_sha }}
ref: refs/heads/${{matrix.branch}}