Add trivy GHA workflow for scanning rke2-runtime image

Signed-off-by: Derek Nola <[email protected]>
rancher · Sep 11, 2024 · 537814f · 537814f
1 parent a8abb0a
commit 537814f
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 1 deletion.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,73 @@
+name: PR Comment Triggered Trivy Scan
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  trivy_scan:
+    if: github.event.issue.pull_request && github.event.comment.body == '/trivy' && github.event.issue.state == 'open'
+    runs-on: ubuntu-latest
+    # runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
+    permissions:
+      pull-requests: write
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+    - name: Checkout PR code
+      uses: actions/checkout@v4
+      with:
+        ref: refs/pull/${{ github.event.issue.number }}/head
+
+    - name: Comment Status on PR
+      run: |
+        gh repo set-default ${{ github.repository }}
+        gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
+    
+    # We don't care about the go version, as we only use it to capture ENV vars
+    - name: Install Go
+      uses: ./.github/actions/setup-go
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build RKE2 Image
+      id: build-image
+      run: |
+        SKIP_WINDOWS=true make build-image-runtime
+        TAG=$(docker images --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep "rancher/rke2-runtime" | sort -k2 -r | head -n1 | awk '{print $1}')
+        echo "TAG=${TAG}" >> "$GITHUB_OUTPUT"
+
+    - name: Run Trivy on image
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: '${{ steps.build-image.outputs.TAG }}'
+        format: 'table'
+        severity: "HIGH,CRITICAL"
+        output: "trivy-image-report.txt"
+
+    - name: Run Trivy on filesystem
+      uses: aquasecurity/[email protected]
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        severity: "HIGH,CRITICAL"
+        output: "trivy-fs-report.txt"
+
+    - name: Add Trivy Report to PR
+      run: |
+        sudo chown runner:runner trivy-image-report.txt trivy-fs-report.txt
+        cat trivy-image-report.txt trivy-fs-report.txt > trivy-report.txt
+        if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then
+          echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
+          echo '```' >> trivy-report.txt
+          gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
+        else
+          echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt
+          gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
+        fi
+    
+    - name: Report Failure
+      if: ${{ failure() }}
+      run: |
+        gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"
diff --git a/scripts/build-image-runtime b/scripts/build-image-runtime
@@ -18,7 +18,7 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \
     --file Dockerfile \
     .
 
-if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ]; then
+if [ "${GOARCH}" != "s390x" ] && [ "${GOARCH}" != "arm64" ] && [ -z "$SKIP_WINDOWS" ]; then
   DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-1} docker image build \
       --build-arg TAG=${VERSION} \
       --build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \