Skip to content

Container Vulnerability Scan #99

Container Vulnerability Scan

Container Vulnerability Scan #99

name: Container Vulnerability Scan
on:
schedule:
- cron: "0 4 * * *"
workflow_dispatch:
permissions: read-all
jobs:
container-scan:
if: github.repository_owner == 'cilium'
name: Scan Containers
runs-on: ubuntu-22.04
strategy:
matrix:
image: [
{name: cilium, dockerfile: ./images/cilium/Dockerfile},
{name: clustermesh-apiserver, dockerfile: ./images/clustermesh-apiserver/Dockerfile},
{name: docker-plugin, dockerfile: ./images/cilium-docker-plugin/Dockerfile},
{name: hubble-relay, dockerfile: ./images/hubble-relay/Dockerfile},
{name: kvstoremesh, dockerfile: ./images/kvstoremesh/Dockerfile},
{name: operator-generic, dockerfile: ./images/operator/Dockerfile},
]
branch: [v1.12, v1.13, v1.14, v1.15]
exclude:
- image: {name: kvstoremesh, dockerfile: ./images/kvstoremesh/Dockerfile}
branch: v1.12
- image: {name: kvstoremesh, dockerfile: ./images/kvstoremesh/Dockerfile}
branch: v1.13
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ matrix.branch }}
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build local container
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
tags: ${{ matrix.image.name }}:${{ matrix.branch }}
push: false
load: true
file: ${{ matrix.image.dockerfile }}
build-args: |
OPERATOR_VARIANT=${{ matrix.image.name }}
- name: Scan image
uses: anchore/scan-action@896d5f410043987c8fe18f60d91bf199e436840c # v3.3.8
with:
image: ${{ matrix.image.name }}:${{ matrix.branch }}
output-format: table
severity-cutoff: critical