cilium

1
name: Container Vulnerability Scan
2
on:
3
  schedule:
4
    - cron: "0 4 * * *"
5
  workflow_dispatch:
6

7
permissions: read-all
8

9
jobs:
10
  container-scan:
11
    if: github.repository_owner == 'cilium'
12
    name: Scan Containers
13
    runs-on: ubuntu-22.04
14
    continue-on-error: true
15
    strategy:
16
      matrix:
17
        image: [
18
          {name: cilium, dockerfile: ./images/cilium/Dockerfile},
19
          {name: clustermesh-apiserver, dockerfile: ./images/clustermesh-apiserver/Dockerfile},
20
          {name: docker-plugin, dockerfile: ./images/cilium-docker-plugin/Dockerfile},
21
          {name: hubble-relay, dockerfile: ./images/hubble-relay/Dockerfile},
22
          {name: operator-generic, dockerfile: ./images/operator/Dockerfile},
23
        ]
24
        branch: [v1.12, v1.13, v1.14, v1.15]
25
        include:
26
          - image: {name: kvstoremesh, dockerfile: ./images/kvstoremesh/Dockerfile}
27
            branch: v1.14
28
    steps:
29
      - name: Checkout
30
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
31
        with:
32
          ref: ${{ matrix.branch }}
33
          persist-credentials: false
34
      - name: Set up Docker Buildx
35
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
36
      - name: Build local container
37
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
38
        with:
39
          context: . 
40
          tags: ${{ matrix.image.name }}:${{ matrix.branch }}
41
          push: false
42
          load: true
43
          file: ${{ matrix.image.dockerfile }}
44
          build-args: |
45
            OPERATOR_VARIANT=${{ matrix.image.name }}
46
      - name: Scan image
47
        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
48
        with:
49
          image: ${{ matrix.image.name }}:${{ matrix.branch }}
50
          output-format: table
51
          severity-cutoff: critical
52