diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index b2ead2507..a1c77040a 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -37,6 +37,8 @@ jobs: name: "[Trivy] Scan for vulnerabilities" runs-on: ubuntu-22.04 timeout-minutes: 15 + env: + TRIVY_VERSION: v0.49.1 steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 @@ -46,30 +48,58 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - - name: Download trivy - run: | - pushd $(mktemp -d) - wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz - tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz - echo "$(pwd)" >> $GITHUB_PATH - env: - TRIVY_VERSION: "0.46.0" + - name: Manual Trivy Setup + uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1 + with: + cache: true + version: ${{ env.TRIVY_VERSION }} - name: Run trivy on git repository - run: | - trivy fs --format table --ignore-unfixed --scanners vuln . + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + scan-type: 'fs' + scan-ref: '.' + ignore-unfixed: true + scanners: 'vuln' + version: ${{ env.TRIVY_VERSION }} - name: Build docker images run: | make e2e-build-local-ratify-image make e2e-build-crd-image - - name: Run trivy on images for all severity - run: | - for img in "localbuild:test" "localbuildcrd:test"; do - trivy image --ignore-unfixed --vuln-type="os,library" "${img}" - done - - name: Run trivy on images and exit on HIGH severity - run: | - for img in "localbuild:test" "localbuildcrd:test"; do - trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}" - done + + - name: Run Trivy vulnerability scanner on localbuild:test + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + scan-type: 'image' + image-ref: 'localbuild:test' + ignore-unfixed: true + version: ${{ env.TRIVY_VERSION }} + + - name: Run Trivy vulnerability scanner on localbuildcrd:test + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + scan-type: 'image' + image-ref: 'localbuildcrd:test' + ignore-unfixed: true + version: ${{ env.TRIVY_VERSION }} + + - name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + scan-type: 'image' + image-ref: 'localbuild:test' + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + exit-code: '1' + version: ${{ env.TRIVY_VERSION }} + + - name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + with: + scan-type: 'image' + image-ref: 'localbuildcrd:test' + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + exit-code: '1' + version: ${{ env.TRIVY_VERSION }} diff --git a/Makefile b/Makefile index 376a2d170..3fc29cd96 100644 --- a/Makefile +++ b/Makefile @@ -26,8 +26,8 @@ LDFLAGS += -X $(GO_PKG)/internal/version.GitTreeState=$(GIT_TREE_STATE) LDFLAGS += -X $(GO_PKG)/internal/version.GitTag=$(GIT_TAG) KIND_VERSION ?= 0.22.0 -KUBERNETES_VERSION ?= 1.29.2 -KIND_KUBERNETES_VERSION ?= 1.29.2 +KUBERNETES_VERSION ?= 1.31.1 +KIND_KUBERNETES_VERSION ?= 1.31.1 GATEKEEPER_VERSION ?= 3.17.0 DAPR_VERSION ?= 1.12.5 COSIGN_VERSION ?= 2.2.3 diff --git a/crd.Dockerfile b/crd.Dockerfile index 6606aa0af..7838e03df 100644 --- a/crd.Dockerfile +++ b/crd.Dockerfile @@ -20,7 +20,7 @@ ARG KUBE_VERSION RUN echo "Ratify crd building on $TARGETOS, building for $TARGETARCH" RUN apk add --no-cache curl && \ - curl -LO https://storage.googleapis.com/kubernetes-release/release/v${KUBE_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \ + curl -LO https://dl.k8s.io/release/v${KUBE_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \ chmod +x kubectl FROM scratch as build