Lacework Inline Scanner #544
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Lacework Inline Scanner | |
on: | |
workflow_run: | |
workflows: ["Build"] | |
types: [completed] | |
branches: | |
- "main" | |
workflow_dispatch: | |
inputs: | |
version: | |
required: true | |
type: string | |
description: "What Gitpod version to scan for CVEs" | |
jobs: | |
create-runner: | |
uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main | |
secrets: | |
runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }} | |
gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }} | |
configuration: | |
name: Configuration | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
needs: [create-runner] | |
outputs: | |
skip: ${{ steps.configuration.outputs.skip }} | |
version: ${{ steps.configuration.outputs.version }} | |
steps: | |
- name: "Set outputs" | |
id: configuration | |
run: | | |
if [[ '${{ github.event.workflow_run.run_number }}' == '' ]]; then | |
# The workflow was triggered by workflow_dispatch | |
{ | |
echo "version=${{ github.event.inputs.version }}" | |
echo "skip=false" | |
} >> $GITHUB_OUTPUT | |
else | |
# The workflow was triggered by workflow_run | |
{ | |
echo "version=main-gha.${{ github.event.workflow_run.run_number }}" | |
echo "skip=${{ github.event.workflow_run.conclusion == 'failure' }}" | |
} >> $GITHUB_OUTPUT | |
fi | |
scan-images: | |
name: Scan all docker images for CVEs | |
# TODO(gpl) Could easily be run on ubuntu:latest if we pushed some bash in lw-scan-images.sh into the installer | |
runs-on: ${{ needs.create-runner.outputs.label }} | |
needs: [configuration,create-runner] | |
if: ${{ needs.configuration.outputs.skip == 'false' }} | |
container: | |
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-update-image-gha.17642 | |
steps: | |
# Most of this is taken over from the Build workflow/preview-env-check-regressions workflow | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-environment | |
with: | |
sa_key: ${{ secrets.GCP_CREDENTIALS }} | |
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
- name: Get Secrets from GCP | |
id: "secrets" | |
uses: "google-github-actions/get-secretmanager-secrets@v1" | |
with: | |
secrets: |- | |
lacework-access-token:gitpod-core-dev/lacework-access-token | |
- name: Lacework Inline Scanner | |
id: lacework-inline-scanner | |
shell: bash | |
env: | |
VERSION: ${{needs.configuration.outputs.version}} | |
LW_ACCESS_TOKEN: "${{ steps.secrets.outputs.lacework-access-token }}" | |
# TODO(gpl) See docker.io access above | |
EXCLUDE_DOCKER_IO: true | |
run: | | |
$GITHUB_WORKSPACE/scripts/lw-scan-images.sh | |
delete-runner: | |
if: always() | |
needs: | |
- create-runner | |
- configuration | |
- scan-images | |
uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main | |
secrets: | |
gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }} | |
with: | |
runner-label: ${{ needs.create-runner.outputs.label }} | |
machine-zone: ${{ needs.create-runner.outputs.machine-zone }} |