feat(trivy): switch to image with manifest sha #652
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CI Pipeline | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: | |
| - 'opened' | |
| - 'synchronize' | |
| - 'reopened' | |
| env: | |
| GO_VERSION: 1.24 | |
| KIND_VERSION: v0.27.0 | |
| IMAGE_NAME: namespace-cleaner:test | |
| REGISTRY: k8scc01covidacr.azurecr.io | |
| jobs: | |
| deploy-namespace-cleaner: # Consolidated job for all deployment-related tasks | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| # --- Linting and Setup --- | |
| - uses: actions/checkout@v4 | |
| - name: Lint Dockerfile | |
| uses: hadolint/hadolint-action@v3.1.0 | |
| with: | |
| dockerfile: Dockerfile | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.10" | |
| - name: Run yamllint | |
| run: | | |
| pip install yamllint | |
| yamllint . | |
| # --- Build Docker Image --- | |
| - name: Build Docker Image | |
| run: docker build -t ${{ env.IMAGE_NAME }} . | |
| # --- Unit Tests --- | |
| - name: Setup Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run Unit Tests | |
| run: make test-unit | |
| id: unit-tests | |
| # --- Integration Tests with Kind --- | |
| - name: Install kubectl | |
| uses: azure/setup-kubectl@v3 | |
| - name: Install Kind | |
| run: | | |
| curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 | |
| chmod +x ./kind | |
| sudo mv ./kind /usr/local/bin/kind | |
| - name: Create Kind Cluster | |
| run: kind create cluster | |
| - name: Load Image into Kind | |
| run: kind load docker-image ${{ env.IMAGE_NAME }} | |
| - name: Run Integration Tests | |
| run: make test-integration | |
| # --- Security Scan --- | |
| - name: Run Trivy Security Scan | |
| env: | |
| TRIVY_VERSION: "0.69.3" | |
| TRIVY_DIGEST: "sha256:7228e304ae0f610a1fad937baa463598cadac0c2ac4027cc68f3a8b997115689" | |
| TRIVY_DB_REPOSITORIES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"' | |
| TRIVY_JAVA_DB_REPOSITORIES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"' | |
| TRIVY_MAX_RETRIES: "5" | |
| TRIVY_RETRY_DELAY: "20" | |
| run: | | |
| set +e | |
| # retry for random failure | |
| for ((i=0; i<${TRIVY_MAX_RETRIES}; i++)); do | |
| echo "Attempt $((i + 1)) of ${TRIVY_MAX_RETRIES}..." | |
| docker run --rm \ | |
| -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v "${{ github.workspace }}/.trivycache:/root/.cache" \ | |
| aquasec/trivy:${TRIVY_VERSION}@${TRIVY_DIGEST} \ | |
| image \ | |
| --image-src docker \ | |
| --db-repository ${TRIVY_DB_REPOSITORIES} \ | |
| --java-db-repository ${TRIVY_JAVA_DB_REPOSITORIES} \ | |
| --scanners vuln \ | |
| --severity CRITICAL \ | |
| --format table \ | |
| --timeout 20m \ | |
| --exit-code 1 \ | |
| "${{ env.IMAGE_NAME }}" | |
| EXIT_CODE=$? | |
| if [[ $EXIT_CODE -eq 0 ]]; then | |
| echo "Trivy scan completed successfully." | |
| exit 0 | |
| elif [[ $EXIT_CODE -eq 1 ]]; then | |
| echo "Trivy found vulnerabilities meeting the configured threshold." | |
| exit 1 | |
| elif [[ $i -lt $((TRIVY_MAX_RETRIES - 1)) ]]; then | |
| echo "Unexpected Trivy error. Retrying in ${TRIVY_RETRY_DELAY} seconds..." | |
| sleep "${TRIVY_RETRY_DELAY}" | |
| else | |
| echo "Unexpected Trivy error persisted after ${TRIVY_MAX_RETRIES} attempts." | |
| exit 1 | |
| fi | |
| done | |
| # --- Push Image to ACR --- | |
| - name: Login to ACR | |
| uses: azure/docker-login@v1 | |
| with: | |
| login-server: ${{ env.REGISTRY }} | |
| username: ${{ secrets.REGISTRY_USERNAME }} | |
| password: ${{ secrets.REGISTRY_PASSWORD }} | |
| - name: Tag and Push Image | |
| run: | | |
| docker tag ${{ env.IMAGE_NAME }} ${{ env.REGISTRY }}/namespace-cleaner:${{ github.sha }} | |
| docker push ${{ env.REGISTRY }}/namespace-cleaner:${{ github.sha }} |