Skip to content
trivy scan tables

fix(deps): update helm release cert-manager to v1.16.3 #81

Sign in to view logs

fix(deps): update helm release cert-manager to v1.16.3

fix(deps): update helm release cert-manager to v1.16.3 #81

Workflow file for this run

.github/workflows/trivy-scan-table.yaml at d591d71
on:
pull_request:
types: [opened, synchronize]
paths:
- '.github/workflows/trivy-scan-table.yaml'
- 'platform-apps/charts/**'
name: trivy scan tables
jobs:
evaluate:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.dataStep.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: create image json
shell: bash
run: |
helm plugin install https://github.com/nikhilsbhat/helm-images
cd platform-apps/charts
echo -n "" > image-list.json
for chart in $( ls -d */ | sed 's#/##' ); do
echo "${chart}"
helm dependency update ${chart} 1> /dev/null 2>&1
for image in $(
for value in $( find ${chart} -type f -name "values-*" ); do
helm images get ${chart} -f ${value} --log-level error --kind "Deployment,StatefulSet,DaemonSet,CronJob,Job,ReplicaSet,Pod,Alertmanager,Prometheus,ThanosRuler,Grafana,Thanos,Receiver"
done | sort -u ); do
id=$( echo -n "${chart}_$( echo ${image} | awk -F/ '{print $NF}' | sed 's/:/_/g' )" )
echo -n "{chart: \"${chart}\", image: \"${image}\", id: \"${id}\"}," >> image-list.json
done
done
- id: dataStep
run: |
echo "matrix=[$( cat platform-apps/charts/image-list.json )]"
#echo "matrix<<EOF" >> ${GITHUB_OUTPUT}
echo "matrix=[$( cat platform-apps/charts/image-list.json )]" >> ${GITHUB_OUTPUT}
#echo "EOF" >> ${GITHUB_OUTPUT}
scan-images:
needs: evaluate
strategy:
matrix:
images: ${{ fromJson(needs.evaluate.outputs.matrix) }}
# matrix:
# images: [
# {chart: "argocd", image: "ghcr.io/dexidp/dex:v2.41.1", id: "dex"},
# {chart: "argocd", image: "public.ecr.aws/docker/library/redis:7.4.1-alpine", id: "redis"},
# {chart: "argocd", image: "quay.io/argoproj/argocd:v2.13.2", id: "argocd"}
# ]
permissions:
contents: write # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: delete old trivy reports
shell: bash
run: |
mkdir trivy-reports-workdir
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.29.0
with:
image-ref: ${{ matrix.images.image }}
format: template
template: "@${{ github.workspace }}/trivy-reports/markdown.tpl"
output: 'trivy-reports-workdir/report-${{ matrix.images.id }}.md'
# exit-code: '1'
ignore-unfixed: true
# vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: upload reports
uses: actions/upload-artifact@v4
with:
name: trivy-reports-${{ matrix.images.id }}
path: trivy-reports-workdir/report-${{ matrix.images.id }}.md
commit-reports:
needs: scan-images
runs-on: ubuntu-latest
permissions:
actions: write
contents: write
steps:
- name: Checkout PR
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: delete old trivy reports
shell: bash
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git pull
echo "remove old reports"
# use find to remove files
# because it does not fail when no files exist
find trivy-reports/ -type f -name 'report-*' -delete
git status
- name: download reports
uses: actions/download-artifact@v4
with:
pattern: trivy-reports-*
path: trivy-reports
merge-multiple: true
- name: commit trivy table
shell: bash
run: |
git status
echo "git add trivy-reports"
git add trivy-reports
git status
echo "check diff and commit"
git diff --cached --exit-code || git commit -m "updated trivy scan results"
echo "git push"
git push
- uses: geekyeggo/delete-artifact@v5
with:
name: trivy-reports-*