Trivy scanner #736

Summary
Jobs
- Build
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Trivy scanner

	on:
	workflow_dispatch:
	push:
	tags:
	- 'v..*'
	pull_request:
	branches:
	- 'main'
	schedule:
	- cron: '35 12 * * 4'
	permissions:
	contents: read
	jobs:
	build:
	permissions:
	contents: write
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	name: Build
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- name: Checkout code
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Set up Go 1.x
	uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
	with:
	go-version: '>=1.20'
	check-latest: true
	id: go
	- name: Build images
	run: \|
	export IMAGE_TAG=${{ github.sha }}
	export OUTPUT_TYPE=docker
	make docker-build

	- name: Run Trivy scanner for controller
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # master
	if: success() \|\| failure()
	with:
	image-ref: 'local/kube-egress-gateway-controller:${{ github.sha }}'
	format: 'sarif'
	ignore-unfixed: true
	output: 'trivy-kube-egress-gateway-controller-results.sarif'
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
	timeout: '5m0s'
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
	with:
	sarif_file: 'trivy-kube-egress-gateway-controller-results.sarif'
	category: kube-egress-gateway-controller-image
	- name: Run Trivy scanner for daemon
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # master
	if: success() \|\| failure()
	with:
	image-ref: 'local/kube-egress-gateway-daemon:${{ github.sha }}'
	format: 'sarif'
	ignore-unfixed: true
	output: 'trivy-kube-egress-gateway-daemon-results.sarif'
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
	timeout: '5m0s'
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
	with:
	sarif_file: 'trivy-kube-egress-gateway-daemon-results.sarif'
	category: kube-egress-gateway-daemon-image
	- name: Run Trivy scanner for cnimanager
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # master
	if: success() \|\| failure()
	with:
	image-ref: 'local/kube-egress-gateway-cnimanager:${{ github.sha }}'
	format: 'sarif'
	ignore-unfixed: true
	vuln-type: 'os,library'
	output: 'trivy-kube-egress-gateway-cnimanager-results.sarif'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
	timeout: '5m0s'
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
	with:
	sarif_file: 'trivy-kube-egress-gateway-cnimanager-results.sarif'
	category: kube-egress-gateway-cnimanager-image
	- name: Run Trivy scanner for cni
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # master
	if: success() \|\| failure()
	with:
	image-ref: 'local/kube-egress-gateway-cni:${{ github.sha }}'
	format: 'sarif'
	ignore-unfixed: true
	vuln-type: 'os,library'
	output: 'trivy-kube-egress-gateway-cni-results.sarif'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
	timeout: '5m0s'
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
	with:
	sarif_file: 'trivy-kube-egress-gateway-cni-results.sarif'
	category: kube-egress-gateway-cni
	- name: Run Trivy scanner for cni-ipam
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # master
	if: success() \|\| failure()
	with:
	image-ref: 'local/kube-egress-gateway-cni-ipam:${{ github.sha }}'
	format: 'sarif'
	ignore-unfixed: true
	vuln-type: 'os,library'
	output: 'trivy-kube-egress-gateway-cni-ipam-results.sarif'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
	timeout: '5m0s'
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
	with:
	sarif_file: 'trivy-kube-egress-gateway-cni-ipam-results.sarif'
	category: kube-egress-gateway-cni-ipam
	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # master
	if: success() \|\| failure()
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	format: 'github'
	output: 'dependency-results.sbom.json'
	scan-ref: '.'
	github-pat: ${{ secrets.GITHUB_TOKEN }}
	timeout: '5m0s'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy scanner #736

Workflow file

Trivy scanner #736

Jobs

Run details

Workflow file for this run