From 6381c8795b5390f57660a9dd785e18b3f7bc8f95 Mon Sep 17 00:00:00 2001
From: zhzhuang-zju <m17799853869@163.com>
Date: Mon, 16 Oct 2023 21:25:31 +0800
Subject: [PATCH] CI: add image scanning

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
---
 .github/workflows/ci-image-scanning.yaml | 39 ++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 .github/workflows/ci-image-scanning.yaml

diff --git a/.github/workflows/ci-image-scanning.yaml b/.github/workflows/ci-image-scanning.yaml
new file mode 100644
index 000000000000..0e92230f7b9d
--- /dev/null
+++ b/.github/workflows/ci-image-scanning.yaml
@@ -0,0 +1,39 @@
+name: image-scanning
+on:
+  push: 
+jobs:
+  use-trivy-to-scan-image:
+    name: image-scanning
+    if: ${{ github.repository == 'karmada-io/karmada' }}
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - karmada-controller-manager
+          - karmada-scheduler
+          - karmada-descheduler
+          - karmada-webhook
+          - karmada-agent
+          - karmada-scheduler-estimator
+          - karmada-interpreter-webhook-example
+          - karmada-aggregated-apiserver
+          - karmada-search
+          - karmada-operator
+          - karmada-metrics-adapter
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          export VERSION="latest"
+          export REGISTRY="docker.io/karmada"
+          make image-${{ matrix.target }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
+          format: 'table'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          exit-code: '1'