Skip to content

Merge pull request #5862 from zhzhuang-zju/rmfile #1047

Merge pull request #5862 from zhzhuang-zju/rmfile

Merge pull request #5862 from zhzhuang-zju/rmfile #1047

name: image-scanning
on:
push:
# Exclude branches created by Dependabot to avoid triggering current workflow
# for PRs initiated by Dependabot.
branches-ignore:
- 'dependabot/**'
permissions:
contents: read
jobs:
use-trivy-to-scan-image:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: image-scanning
if: ${{ github.repository == 'karmada-io/karmada' }}
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
target:
- karmada-controller-manager
- karmada-scheduler
- karmada-descheduler
- karmada-webhook
- karmada-agent
- karmada-scheduler-estimator
- karmada-interpreter-webhook-example
- karmada-aggregated-apiserver
- karmada-search
- karmada-operator
- karmada-metrics-adapter
steps:
- name: checkout code
uses: actions/checkout@v4
- name: install Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build an image from Dockerfile
run: |
export VERSION="latest"
export REGISTRY="docker.io/karmada"
make image-${{ matrix.target }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.29.0
env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
format: 'sarif'
ignore-unfixed: true
vuln-type: 'os,library'
output: 'trivy-results.sarif'
- name: display scan results
uses: aquasecurity/trivy-action@0.29.0
env:
TRIVY_SKIP_DB_UPDATE: true # Avoid updating the vulnerability db as it was cached in the previous step.
with:
image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
format: 'table'
ignore-unfixed: true
vuln-type: 'os,library'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'