diff --git a/.github/workflows/cve-weekly.yaml b/.github/workflows/cve-weekly.yaml deleted file mode 100644 index 19a96407b3..0000000000 --- a/.github/workflows/cve-weekly.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Copyright 2024 Flant JSC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Weekly CVE Scan - -env: - MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }} - CI_COMMIT_REF_NAME: ${{ github.ref_name }} - MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }} - MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }} - MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - WERF_DRY_RUN: "false" - -on: - workflow_dispatch: - schedule: - - cron: "23 0 * * 6" - -defaults: - run: - shell: bash - -jobs: - trivy_scan: - runs-on: ubuntu-latest - - steps: - - name: Set vars - run: | - echo "REPORT_FILE_NAME=$(date +%Y-%m-%d)-report.txt" >> "$GITHUB_ENV" - - - name: Install Task - uses: arduino/setup-task@v2 - with: - version: 3.37.2 - - - name: Checkout code - uses: actions/checkout@v4 - - - uses: deckhouse/modules-actions/setup@v2 - with: - registry: ${{ vars.DEV_REGISTRY }} - registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - - name: CVE Scan - run: | - echo $REPORT_FILE_NAME - REPORT_FILE_NAME=$REPORT_FILE_NAME task cve:scan - - - name: Upload Trivy report as artifact - uses: actions/upload-artifact@v4 - with: - name: trivy-weekly-${{ env.REPORT_FILE_NAME }} - path: ${{ env.REPORT_FILE_NAME }} - retention-days: 14 diff --git a/.github/workflows/dev_module_build.yml b/.github/workflows/dev_module_build.yml index 306f80e57c..b0531f5545 100644 --- a/.github/workflows/dev_module_build.yml +++ b/.github/workflows/dev_module_build.yml @@ -260,3 +260,23 @@ jobs: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: "$MODULES_MODULE_TAG" + + cve_scan_on_pr: + name: Trivy images check + runs-on: ${{ fromJSON(needs.set_vars.outputs.runner_type)}} + needs: + - set_vars + - dev_setup_build + steps: + - uses: actions/checkout@v4 + - uses: deckhouse/modules-actions/cve_scan@v2 + with: + image: ${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }} + tag: ${{needs.set_vars.outputs.modules_module_tag}} + module_name: ${{ vars.MODULE_NAME }} + dd_url: ${{vars.DEFECTDOJO_HOST}} + dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}} + trivy_registry: ${{ vars.PROD_REGISTRY }} + trivy_registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + trivy_registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} + deckhouse_private_repo: ${{vars.DECKHOUSE_PRIVATE_REPO}} diff --git a/Taskfile.yaml b/Taskfile.yaml index 52675964f4..38fb0a446d 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -138,19 +138,6 @@ tasks: cd tools/kubeconform ./kubeconform.sh - cve:bin: - cmds: - - | - curl -LO https://github.com/aquasecurity/trivy/releases/download/v{{.TRIVY_VERSION}}/trivy_{{.TRIVY_VERSION}}_Linux-64bit.tar.gz - tar -zxvf trivy_{{.TRIVY_VERSION}}_Linux-64bit.tar.gz -C /opt/ - mv /opt/trivy /usr/local/bin/trivy - chmod +x /usr/local/bin/trivy - - cve:scan: - cmds: - - task: cve:bin - - tools/cve/scan-main.sh {{.REPORT_FILE_NAME}} - dlv:virt-controller:build: desc: "Build image virt-controller with dlv" cmd: docker build -f ./images/virt-controller/debug/dlv.Dockerfile -t "{{ .DLV_IMAGE }}" . diff --git a/tools/cve/scan-main.sh b/tools/cve/scan-main.sh deleted file mode 100755 index 7d3ad1d204..0000000000 --- a/tools/cve/scan-main.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2024 Flant JSC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -REPORT_FILE_NAME=$1 -module_tag=$2 -common_registry_path="dev-registry.deckhouse.io/sys/deckhouse-oss/modules" -module_name="virtualization" -registry_path="$common_registry_path/$module_name" - -if [[ -z $REPORT_FILE_NAME ]];then echo "file must be define";exit 1;fi -if [[ -z $module_tag ]]; then module_tag=main; fi - -# Prepare images digests in form of "image_name image_sha256_digest". -images_digests=$(crane export $registry_path:${module_tag} - | tar -Oxf - images_digests.json | jq -r 'to_entries[] | .key + " " + .value') - -check_image_bundle() { - echo "⭐ ===============================================================================================================" - echo "name: bandle-${module_tag}" - echo "image: $registry_path:${module_tag}" - echo "==================================================================================================================" - - trivy image $registry_path:${module_tag} -f table -} - -{ - while read name digest; do - image="$registry_path@${digest}" - - echo "⭐ ===============================================================================================================" - echo "name: ${name}" - echo "image: ${image}" - echo "==================================================================================================================" - - trivy image ${image} -f table - - done <<< "${images_digests}" - - check_image_bundle - -} > "${REPORT_FILE_NAME}"