DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CI updates (#9440)

Browse source 
* add labels to dependabot prs

Signed-off-by: cpanato <ctadeu@gmail.com>

* sync hashes and versions dependabot can update the version comment now

Signed-off-by: cpanato <ctadeu@gmail.com>

Signed-off-by: cpanato <ctadeu@gmail.com>
This commit is contained in:
Carlos Tadeu Panato Junior 2022-12-22 16:37:26 +01:00 committed by GitHub
parent 21aa7f55a3
commit bb60e02e96
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 125 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

72
.github/workflows/vulnerability-scans.yaml vendored
View file

@ -22,7 +22,7 @@ jobs:
versions: ${{ steps.version.outputs.TAGS }}
steps:
- name: Checkout code
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with:
fetch-depth: 0
@ -46,47 +46,47 @@ jobs:
scan:
runs-on: ubuntu-latest
needs: version
needs: version
strategy:
matrix:
versions: ${{ fromJSON(needs.version.outputs.versions) }}
steps:
- name: Checkout code
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- name: Checkout code
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- shell: bash
id: test
run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
- shell: bash
id: test
run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
- name: Scan image with AquaSec/Trivy
id: scan
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 #v0.5.1
with:
image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
format: 'sarif'
output: trivy-results-${{ matrix.versions }}.sarif
exit-code: 0
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
- name: Scan image with AquaSec/Trivy
id: scan
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
with:
image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
format: 'sarif'
output: trivy-results-${{ matrix.versions }}.sarif
exit-code: 0
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
- name: Output Sarif File
shell: bash
run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
- name: Output Sarif File
shell: bash
run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
# This step checks out a copy of your repository.
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
with:
token: ${{ github.token }}
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
# This step checks out a copy of your repository.
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37
with:
token: ${{ github.token }}
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
- name: Vulz Count
shell: bash
run: |
TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
echo "TRIVY_COUNT: $TRIVY_COUNT"
echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY
- name: Vulz Count
shell: bash
run: |
TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
echo "TRIVY_COUNT: $TRIVY_COUNT"
echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY