Scan Antrea Docker image for vulnerabilities every day

Scan Antrea Docker image for vulnerabilities every day #680

Summary
Jobs
- build
- skip
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/trivy_scan.yml at 18e9111

	name: Scan Antrea Docker image for vulnerabilities every day

	on:
	schedule:
	# every day at 10am
	- cron: '0 10 * * *'
	workflow_dispatch:
	inputs:
	# This is useful for testing an arbitrary released version of Antrea.
	# If left unset, we will use the latest release (obtained using the Github API).
	antrea-version:
	description: 'The released Antrea version to scan'
	type: string
	required: false
	no-cache:
	description: 'Do not use a cached Trivy DB'
	type: boolean
	default: false

	jobs:
	build:
	if: github.repository == 'antrea-io/antrea'
	runs-on: ubuntu-latest
	steps:
	- name: Find greatest Antrea version
	id: find-antrea-greatest-version
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	VERSION=${{ inputs.antrea-version }}
	if [ -z "$VERSION" ]; then
	VERSION=$(gh api /repos/antrea-io/antrea/releases/latest --jq '.tag_name')
	fi
	echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT
	- name: Pull Antrea Docker images
	id: pull
	run: \|
	docker pull antrea/antrea-agent-ubuntu:latest
	docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
	docker pull antrea/antrea-controller-ubuntu:latest
	docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
	- name: Install Trivy
	uses: aquasecurity/[email protected]
	- name: Get current UTC date
	id: date
	run: echo "date=$(date -u +'%Y-%m-%d')" >> $GITHUB_OUTPUT
	- name: Restore Trivy DB cache
	if: ${{ !inputs.no-cache }}
	id: restore-db-cache
	uses: actions/cache/restore@v4
	with:
	path: ${{ github.workspace }}/.cache/trivy
	key: cache-trivy-db-${{ steps.date.outputs.date }}
	restore-keys: cache-trivy-db-
	- name: Download Trivy DB
	# We download the DB at most once a day, when there is no cache hit.
	if: ${{ inputs.no-cache \|\| steps.restore-db-cache.outputs.cache-hit != 'true' }}
	# Try downloading the vulnerability DB up to 5 times, to account for TOOMANYREQUESTS errors.
	# Need to specify the correct location for the download (using --cache-dir), so that
	# aquasecurity/trivy-action can find it.
	run: \|
	for i in {1..5}; do trivy image --download-db-only --cache-dir $GITHUB_WORKSPACE/.cache/trivy && break \|\| sleep 1; done
	- name: Save Trivy DB cache
	if: ${{ !inputs.no-cache && steps.restore-db-cache.outputs.cache-hit != 'true' }}
	uses: actions/cache/save@v4
	with:
	path: ${{ github.workspace }}/.cache/trivy
	key: ${{ steps.restore-db-cache.outputs.cache-primary-key }}
	- name: Run Trivy vulnerability scanner on latest antrea-agent Docker image
	if: ${{ always() && steps.pull.conclusion == 'success' }}
	uses: aquasecurity/[email protected]
	# we cannot use .trivy.yml as we need to override some config parameters
	# and that is not supported by aquasecurity/trivy-action
	with:
	scan-type: 'image'
	image-ref: 'antrea/antrea-agent-ubuntu:latest'
	exit-code: '1'
	ignore-unfixed: true
	severity: 'CRITICAL,HIGH'
	format: 'table'
	output: 'trivy.agent.latest.txt'
	skip-setup-trivy: true
	# Skip caching, as we do it manually when we download the DB in the previous step.
	cache: 'false'
	env:
	TRIVY_SKIP_DB_UPDATE: true
	TRIVY_SKIP_JAVA_DB_UPDATE: true
	- name: Run Trivy vulnerability scanner on latest antrea-controller Docker image
	if: ${{ always() && steps.pull.conclusion == 'success' }}
	uses: aquasecurity/[email protected]
	# we cannot use .trivy.yml as we need to override some config parameters
	# and that is not supported by aquasecurity/trivy-action
	with:
	scan-type: 'image'
	image-ref: 'antrea/antrea-controller-ubuntu:latest'
	exit-code: '1'
	ignore-unfixed: true
	severity: 'CRITICAL,HIGH'
	format: 'table'
	output: 'trivy.controller.latest.txt'
	skip-setup-trivy: true
	cache: 'false'
	env:
	TRIVY_SKIP_DB_UPDATE: true
	TRIVY_SKIP_JAVA_DB_UPDATE: true
	- name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version
	if: ${{ always() && steps.pull.conclusion == 'success' }}
	uses: aquasecurity/[email protected]
	with:
	scan-type: 'image'
	image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
	exit-code: '1'
	ignore-unfixed: true
	severity: 'CRITICAL,HIGH'
	format: 'table'
	output: 'trivy.agent.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
	skip-setup-trivy: true
	cache: 'false'
	env:
	TRIVY_SKIP_DB_UPDATE: true
	TRIVY_SKIP_JAVA_DB_UPDATE: true
	- name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version
	if: ${{ always() && steps.pull.conclusion == 'success' }}
	uses: aquasecurity/[email protected]
	with:
	scan-type: 'image'
	image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
	exit-code: '1'
	ignore-unfixed: true
	severity: 'CRITICAL,HIGH'
	format: 'table'
	output: 'trivy.controller.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
	skip-setup-trivy: true
	cache: 'false'
	env:
	TRIVY_SKIP_DB_UPDATE: true
	TRIVY_SKIP_JAVA_DB_UPDATE: true
	- name: Upload Trivy scan reports
	if: ${{ always() && steps.pull.conclusion == 'success' }}
	uses: actions/upload-artifact@v4
	with:
	name: trivy-scan-reports
	path: trivy.*.txt
	retention-days: 90 # max value
	skip:
	if: github.repository != 'antrea-io/antrea'
	runs-on: ubuntu-latest
	steps:
	- name: Skip
	run: \|
	echo "Skipping image scan because workflow cannot be run from fork"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scan Antrea Docker image for vulnerabilities every day #680

Workflow file

Scan Antrea Docker image for vulnerabilities every day #680

Jobs

Run details

Workflow file for this run