-
Notifications
You must be signed in to change notification settings - Fork 1.2k
90 lines (86 loc) · 3.19 KB
/
lacework-inline-scanner.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: Lacework Inline Scanner
on:
workflow_run:
workflows: ["Build"]
types: [completed]
branches:
- "main"
workflow_dispatch:
inputs:
version:
required: true
type: string
description: "What Gitpod version to scan for CVEs"
jobs:
create-runner:
uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
secrets:
runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }}
gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
configuration:
name: Configuration
runs-on: ${{ needs.create-runner.outputs.label }}
needs: [create-runner]
outputs:
skip: ${{ steps.configuration.outputs.skip }}
version: ${{ steps.configuration.outputs.version }}
steps:
- name: "Set outputs"
id: configuration
run: |
if [[ '${{ github.event.workflow_run.run_number }}' == '' ]]; then
# The workflow was triggered by workflow_dispatch
{
echo "version=${{ github.event.inputs.version }}"
echo "skip=false"
} >> $GITHUB_OUTPUT
else
# The workflow was triggered by workflow_run
{
echo "version=main-gha.${{ github.event.workflow_run.run_number }}"
echo "skip=${{ github.event.workflow_run.conclusion == 'failure' }}"
} >> $GITHUB_OUTPUT
fi
scan-images:
name: Scan all docker images for CVEs
# TODO(gpl) Could easily be run on ubuntu:latest if we pushed some bash in lw-scan-images.sh into the installer
runs-on: ${{ needs.create-runner.outputs.label }}
needs: [configuration,create-runner]
if: ${{ needs.configuration.outputs.skip == 'false' }}
container:
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-update-image-gha.17642
steps:
# Most of this is taken over from the Build workflow/preview-env-check-regressions workflow
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-environment
with:
sa_key: ${{ secrets.GCP_CREDENTIALS }}
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }}
- name: Get Secrets from GCP
id: "secrets"
uses: "google-github-actions/get-secretmanager-secrets@v1"
with:
secrets: |-
lacework-access-token:gitpod-core-dev/lacework-access-token
- name: Lacework Inline Scanner
id: lacework-inline-scanner
shell: bash
env:
VERSION: ${{needs.configuration.outputs.version}}
LW_ACCESS_TOKEN: "${{ steps.secrets.outputs.lacework-access-token }}"
# TODO(gpl) See docker.io access above
EXCLUDE_DOCKER_IO: true
run: |
$GITHUB_WORKSPACE/scripts/lw-scan-images.sh
delete-runner:
if: always()
needs:
- create-runner
- configuration
- scan-images
uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main
secrets:
gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
with:
runner-label: ${{ needs.create-runner.outputs.label }}
machine-zone: ${{ needs.create-runner.outputs.machine-zone }}