From 9077c7548670a5c197101bad5a8cfc2521ed3c25 Mon Sep 17 00:00:00 2001 From: Trevor Whitney Date: Wed, 20 Mar 2024 12:43:02 -0600 Subject: [PATCH] ci: CVE scanning and bump release pipeline (#12031) --- .github/workflows/snyk-pr-comment.yml | 51 -------------------- .github/workflows/snyk.yml | 5 +- .github/workflows/trivy-pr-comment.yml | 67 -------------------------- 3 files changed, 3 insertions(+), 120 deletions(-) delete mode 100644 .github/workflows/snyk-pr-comment.yml delete mode 100644 .github/workflows/trivy-pr-comment.yml diff --git a/.github/workflows/snyk-pr-comment.yml b/.github/workflows/snyk-pr-comment.yml deleted file mode 100644 index c54e9c55c3b58..0000000000000 --- a/.github/workflows/snyk-pr-comment.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: PR Vulnerability Scan -on: pull_request - -permissions: - pull-requests: write - issues: write - -jobs: - snyk: - name: Snyk Scan - runs-on: ubuntu-latest - if: ${{ !github.event.pull_request.head.repo.fork }} - steps: - - name: Checkout code - uses: actions/checkout@master - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/golang@master - continue-on-error: true # To make sure that PR comment is made - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - command: test - args: --severity-threshold=high --json-file-output=snyk.json - - - name: Prepare Snyk message - run: | - echo "Snyk scan found the following vulnerabilities:" > snyk.txt - - - name: Format Snyk Message - uses: sergeysova/jq-action@v2 - continue-on-error: true - with: - cmd: jq -r '.vulnerabilities[] | "* **\(.severity)** - [\(.identifiers.CVE[0])] \(.title) in `\(.moduleName)` v\(.version). Fixed in \(.fixedIn)"' snyk.json >> snyk.txt - - - name: Determine whether to comment - continue-on-error: true - id: should-comment - run: | - if [[ $(wc -l < snyk.txt) -gt 1 ]]; then - echo "\nTo see more details on these vulnerabilities, and how/where to fix them, please run `make scan-vulnerabilities` on your branch. If these were not introduced by your PR, please considering fixing them in `main` via a subsequent PR. Thanks!" >> snyk.txt - exit 0; - fi - - exit 1 - - - name: Comment on PR with Snyk scan results - uses: mshick/add-pr-comment@v2 - if: ${{ steps.should-comment.outcome == 'success' }} - with: - message-id: snyk-${{ github.event.number }} - message-path: snyk.txt diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 1c4c8a3616789..2239756cb67c8 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -1,11 +1,12 @@ name: Snyk Monitor Scanning on: release: - types: [published] + types: [published] push: branches: - - 'main' + - 'main' - 'master' + - 'release-[0-9]+.[0-9]+.x' workflow_dispatch: jobs: diff --git a/.github/workflows/trivy-pr-comment.yml b/.github/workflows/trivy-pr-comment.yml deleted file mode 100644 index ca69cb1b3ba7d..0000000000000 --- a/.github/workflows/trivy-pr-comment.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: PR Vulnerability Scan -on: pull_request_target - -permissions: - pull-requests: write - issues: write - -jobs: - trivy: - name: Trivy Scan - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Build Loki Image - run: | - IMAGE_TAG="$(./tools/image-tag)" - make loki-image - echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV - - - name: Run Trivy image scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: "docker.io/grafana/loki:${{ env.IMAGE_TAG }}" - format: "json" - output: "trivy-image.json" - severity: "CRITICAL,HIGH" - - - name: Run Trivy fs scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: "fs" - scan-ref: "go.mod" - format: "json" - output: "trivy-fs.json" - severity: "CRITICAL,HIGH" - - - name: Prepare Trivy Message - run: | - echo "Trivy scan found the following vulnerabilities:" > trivy.txt - - - name: Format Trivy Message - uses: sergeysova/jq-action@v2 - continue-on-error: true - with: - cmd: | - jq -r '.Results[] | select(.Vulnerabilities != null) | .Target as $target | .Type as $type | .Vulnerabilities[] | "* **\(.Severity)**, Target: \($target), Type: \($type) [\(.Title)](\(.PrimaryURL)) in `\(.PkgName)` v\(.InstalledVersion). Fixed in v\(.FixedVersion)"' trivy-image.json >> trivy.txt - jq -r '.Results[] | select(.Vulnerabilities != null) | .Target as $target | .Type as $type | .Vulnerabilities[] | "* **\(.Severity)**, Target: \($target), Type: \($type) [\(.Title)](\(.PrimaryURL)) in `\(.PkgName)` v\(.InstalledVersion). Fixed in v\(.FixedVersion)"' trivy-fs.json >> trivy.text - - - name: Determine whether to comment - continue-on-error: true - id: should-comment - run: | - if [[ $(wc -l < trivy.txt) -gt 1 ]]; then - echo "\nTo see more details on these vulnerabilities, and how/where to fix them, please run `make scan-vulnerabilities` on your branch. If these were not introduced by your PR, please considering fixing them in `main` via a subsequent PR. Thanks!" >> trivy.txt - exit 0; - fi - - exit 1 - - - name: Comment on PR with Trivy scan results - uses: mshick/add-pr-comment@v2 - if: ${{ steps.should-comment.outcome == 'success' }} - with: - message-id: trivy-${{ github.event.number }} - message-path: trivy.txt