Code scanning #867

Workflow file for this run

	name: Code scanning
	on:
	pull_request:
	schedule:
	- cron: '0 2 * * 1-5'

	jobs:
	prepare:
	name: Generate matrix
	runs-on: ubuntu-22.04
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	changed_files: ${{ steps.changed-files.outputs.all_changed_files }}
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Get changed files
	id: changed-files
	uses: tj-actions/changed-files@v46
	- id: set-matrix
	run: \|
	matrix=$(./gen-matrix.sh)
	echo matrix="$matrix" >> $GITHUB_OUTPUT

	scan:
	name: Scan
	needs:
	- prepare
	strategy:
	fail-fast: false
	matrix:
	image_tag: ${{fromJson(needs.prepare.outputs.matrix)}}
	runs-on: ubuntu-22.04
	steps:
	- name: Determine image path
	id: imagepath
	run: \|
	echo "base=${IMAGE_TAG//://}" >> $GITHUB_OUTPUT
	echo "value=./images/${IMAGE_TAG//://}" >> $GITHUB_OUTPUT
	env:
	IMAGE_TAG: ${{ matrix.image_tag }}
	- name: Checkout code
	if: ${{ contains(needs.prepare.outputs.changed_files, steps.imagepath.outputs.base) }}
	uses: actions/checkout@v4
	- name: Build an image from Dockerfile
	if: ${{ contains(needs.prepare.outputs.changed_files, steps.imagepath.outputs.base) }}
	run: \|
	hack/docker-buildx.sh --progress=plain --load -t quay.io/k0sproject/${{ matrix.image_tag }}-${{ github.sha }} ${{ steps.imagepath.outputs.value }}
	- name: Run Trivy vulnerability scanner
	if: ${{ contains(needs.prepare.outputs.changed_files, steps.imagepath.outputs.base) }}
	uses: aquasecurity/[email protected]
	with:
	image-ref: 'quay.io/k0sproject/${{ matrix.image_tag }}-${{ github.sha }}'
	format: 'table'
	ignore-unfixed: true
	vuln-type: 'os,library'
	# Disabling exit code for now, as we have some vulnerabilities that we need to fix
	#exit-code: '1'
	severity: 'CRITICAL,HIGH'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Code scanning #867

Workflow file

Code scanning #867

Uh oh!

Jobs

Run details

Workflow file for this run