feat: add critical cve check

kubeshop · Oct 30, 2024 · 7c9cd74 · 7c9cd74
1 parent 978ef67
commit 7c9cd74
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 0 deletions.
diff --git a/.github/workflows/lint-images.yaml b/.github/workflows/lint-images.yaml
@@ -18,3 +18,27 @@ jobs:
       - name: Check that global.imagePullSecrets are applied to all images
         run: bash ./image_pull_secrets_check.sh
         working-directory: ./scripts
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Install Docker Scout
+        run: |
+          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh
+
+      - name: Check to make sure that images do not have critical CVEs
+        run: bash ./image_cve_check.sh
+        working-directory: ./scripts
diff --git a/scripts/image_cve_check.sh b/scripts/image_cve_check.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+AGENT_IMAGES=images.txt
+
+# Add repos
+helm repo add bitnami https://charts.bitnami.com/bitnami
+
+# Build the dependencies
+helm dependency build ../charts/testkube
+
+# Get images for the agent chart
+helm template test ../charts/testkube --skip-crds --set mongodb.enabled=false --set testkube-api.minio.enabled=false --set testkube-dashboard.enabled=false --set global.testWorkflows.createOfficialTemplates=false | grep "image:" | grep -v "{" | sed 's/"//g' | sed 's/docker.io\///g' | awk '{ print $2 }' | awk 'NF && !seen[$0]++' | sort > "$AGENT_IMAGES"
+
+# Get the images for the workflows
+helm template test ../charts/testkube --skip-crds --set mongodb.enabled=false --set testkube-api.minio.enabled=false --set testkube-dashboard.enabled=false --set global.testWorkflows.createOfficialTemplates=false | grep "testkube-tw" | sed 's/"//g' | sed 's/docker.io\///g' | awk '{ print $2 }' | awk 'NF && !seen[$0]++' | sort >> "$AGENT_IMAGES"
+
+# Sort these agent images
+sort -o "$AGENT_IMAGES" "$AGENT_IMAGES"
+
+# Check for images that do not start with the image registry
+failure=false
+while IFS= read -r image; do
+
+    echo "*******************"
+    echo "DOCKER SCOUT OUTPUT"
+    echo "==================="
+    docker scout cves $image --platform linux/amd64 --exit-code --only-severity critical 
+    ec=$?
+    echo "==================="
+
+    if [ $ec -ne 0 ]; then
+        echo "Failure: The '$image' has critical CVEs."
+        failure=true
+    fi
+done < "$AGENT_IMAGES"
+
+if [ "$failure" = true ]; then
+    echo "Critical CVEs detected."
+    exit 1
+fi
+
+echo "No critical CVEs detected."