Skip to content

Fix chef tests (#3628) #3

Fix chef tests (#3628)

Fix chef tests (#3628) #3

Workflow file for this run

name: vulnerability scans
on:
push:
branches:
- main
pull_request:
paths:
- '.github/workflows/vuln-scans.yml'
- '.grype.yaml'
- '.trivyignore'
env:
GO_VERSION: '1.20.8'
concurrency:
group: vuln-scans-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
trivy-fs-scan:
# Use 20.04.5 until https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/16450 is resolved
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: Run trivy filesystem scan
uses: aquasecurity/trivy-action@0.12.0
with:
scan-type: 'fs'
scan-ref: '.'
skip-dirs: 'deployments,examples,instrumentation/packaging,internal/buildscripts/packaging,tests'
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
anchore-fs-scan:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: anchore/scan-action@v3
with:
severity-cutoff: "high"
only-fixed: true
add-cpes-if-none: true
output-format: "table"
path: "."
docker-otelcol:
runs-on: ubuntu-20.04
strategy:
matrix:
ARCH: [ "amd64", "arm64" ]
fail-fast: false
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: '**/go.sum'
- uses: actions/cache@v3
id: bundle-cache
with:
path: .cache/buildx/agent-bundle-${{ matrix.ARCH }}
key: agent-bundle-buildx-${{ matrix.ARCH }}-${{ hashFiles('internal/signalfx-agent/bundle/**') }}
restore-keys: |
agent-bundle-buildx-${{ matrix.ARCH }}-
- uses: docker/setup-qemu-action@v2
if: ${{ matrix.ARCH != 'amd64' }}
with:
platforms: ${{ matrix.ARCH }}
image: tonistiigi/binfmt:qemu-v7.0.0
- run: |
make docker-otelcol ARCH=${{ matrix.ARCH }}
env:
DOCKER_BUILDKIT: '1'
BUNDLE_CACHE_HIT: "${{ steps.bundle-cache.outputs.cache-hit }}"
- run: mkdir -p dist && docker save -o dist/image.tar otelcol:latest
- uses: actions/upload-artifact@v3
with:
name: otelcol-${{ matrix.ARCH }}
path: ./dist
trivy-image-scan:
# Use 20.04.5 until https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/16450 is resolved
runs-on: ubuntu-20.04
needs: docker-otelcol
strategy:
matrix:
ARCH: [ "amd64", "arm64" ]
fail-fast: false
steps:
- uses: actions/checkout@v3
- uses: docker/setup-qemu-action@v2
if: ${{ matrix.ARCH != 'amd64' }}
with:
platforms: ${{ matrix.ARCH }}
image: tonistiigi/binfmt:qemu-v7.0.0
- uses: actions/download-artifact@v3
with:
name: otelcol-${{ matrix.ARCH }}
path: ./dist
- run: docker load -i ./dist/image.tar
- name: Run trivy image scan
uses: aquasecurity/trivy-action@0.12.0
with:
scan-type: 'image'
image-ref: 'otelcol:latest'
format: 'table'
exit-code: '1'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
anchore-image-scan:
runs-on: ubuntu-20.04
needs: docker-otelcol
strategy:
matrix:
ARCH: [ "amd64", "arm64" ]
fail-fast: false
env:
GRYPE_PLATFORM: ${{ matrix.ARCH }}
steps:
- uses: actions/checkout@v3
- uses: docker/setup-qemu-action@v2
if: ${{ matrix.ARCH != 'amd64' }}
with:
platforms: ${{ matrix.ARCH }}
image: tonistiigi/binfmt:qemu-v7.0.0
- uses: actions/download-artifact@v3
with:
name: otelcol-${{ matrix.ARCH }}
path: ./dist
- run: docker load -i ./dist/image.tar
- uses: anchore/scan-action@v3
with:
severity-cutoff: "high"
only-fixed: true
add-cpes-if-none: true
output-format: "table"
image: "otelcol:latest"