Add image scan script

[ivanvc]

Introduce a new script that can run on stable branches that checks the vulnerabilities for the latest tag (from the given branch).

Adds Trivy as a tool dependency, to keep track of the latest released version.

A periodic Prow job will later execute this. We'll get alerts when a CVE is found in our images, either by a direct vulnerability or for a dependency with a reported vulnerability of high or critical severity.

Part of #19363.

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ivanvc
Once this PR has been reviewed and has the lgtm label, please assign spzala for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ivanvc]

Oof, inconsistent dependencies. I'll draft and will undraft once I address those 😅.

[ivanvc]

/test pull-etcd-verify

[ivanvc]

Adding Trivy as a tool bumped many indirect dependencies, resulting in changes to many go.mods.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.78%. Comparing base (4fec4ca) to head (6461725).
Report is 253 commits behind head on main.

Additional details and impacted files

see 21 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #19804      +/-   ##
==========================================
- Coverage   68.86%   68.78%   -0.08%     
==========================================
  Files         421      421              
  Lines       35863    35858       -5     
==========================================
- Hits        24696    24664      -32     
- Misses       9746     9764      +18     
- Partials     1421     1430       +9     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update aa8238f...6461725. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ahrtr]

My understanding is that you only introduce a new dependency on github.com/aquasecurity/trivy, could you move unrelated dependencies bumping into a separate PR to make this PR easier to review?

[ivanvc]

My understanding is that you only introduce a new dependency on github.com/aquasecurity/trivy, could you move unrelated dependencies bumping into a separate PR to make this PR easier to review?

I opened #19819.

But I wonder if it makes more sense to open a pull request to only bump the existing dependencies without introducing Trivy. Let me know, and I can do that instead.

Edit: I opened #19821, which does the latter.

[ahrtr]

@ivanvc Probably I did not say it clearly in my previous comment.

Adding dependency github.com/aquasecurity/trivy is OK, because it's required for the image scan script. It's OK to do both things (see below) in one PR,

• Add dependency github.com/aquasecurity/trivy
• Add image scan script

But I see that you bumped many other dependencies as well in this PR. Can you move all other dependencies bumping into a separate PR?

[ivanvc]

@ahrtr, then, please take a look at #19821.

I'll close #19819, then.

[ahrtr]

Please rebase this PR.

[ivanvc]

I'll get back to this shortly. I'm a bit busy and reconsidering how we'll implement this in the stable release branches. Either way, the trivy dependency is required, so it's good that we bumped the indirect dependencies.

[k8s-ci-robot]

@ivanvc: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci-etcd-robustness-release36-amd64	6461725	link	true	/test ci-etcd-robustness-release36-amd64
ci-etcd-robustness-release35-amd64	6461725	link	true	/test ci-etcd-robustness-release35-amd64
ci-etcd-robustness-release34-amd64	6461725	link	true	/test ci-etcd-robustness-release34-amd64

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.