Skip to content

Commit

Permalink
Add verify-govulncheck and verify-vulnerabilities targets and integra…
Browse files Browse the repository at this point in the history
…te to scan action
  • Loading branch information
chrischdi committed Aug 9, 2023
1 parent 88f495b commit 3d39d99
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 5 deletions.
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Weekly image scan
name: Weekly security scan

on:
schedule:
Expand Down Expand Up @@ -28,5 +28,5 @@ jobs:
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # tag=v4.0.1
with:
go-version: ${{ steps.vars.outputs.go_version }}
- name: Run verify container script
run: make verify-container-images
- name: Run verify security target
run: make verify-security
32 changes: 31 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# Unless requiè by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
Expand Down Expand Up @@ -164,6 +164,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/pr-golangci-lint.yaml | grep
GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint

GOVULNCHECK_BIN := govulncheck
GOVULNCHECK_VER := v1.0.0
GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER))
GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck

CONVERSION_VERIFIER_BIN := conversion-verifier
CONVERSION_VERIFIER := $(abspath $(TOOLS_BIN_DIR)/$(CONVERSION_VERIFIER_BIN))

Expand Down Expand Up @@ -653,6 +658,25 @@ verify-tiltfile: ## Verify Tiltfile format
verify-container-images: ## Verify container images
TRACE=$(TRACE) ./hack/verify-container-images.sh

.PHONY: verify-govulncheck
verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
$(GOVULNCHECK) ./... && R1=$$? || R1=$$?; \
$(GOVULNCHECK) -C "$(TOOLS_DIR)" ./... && R2=$$? || R2=$$?; \
$(GOVULNCHECK) -C "$(TEST_DIR)" ./... && R3=$$? || R3=$$?; \
if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ] || [ "$$R3" -ne "0" ]; then \
exit 1; \
fi


.PHONY: verify-security
verify-security: ## Verify code and images for vulnerabilities
$(MAKE) verify-container-images && R1=$$? || R1=$$?; \
$(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \
if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
echo "Check for vulnerabilities failed! There are vulnerability to be fixed"; \
exit 1; \
fi

## --------------------------------------
## Binaries
## --------------------------------------
Expand Down Expand Up @@ -1249,6 +1273,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo.
.PHONY: $(GOLANGCI_LINT_BIN)
$(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint.

.PHONY: $(GOVULNCHECK_BIN)
$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck.

$(CONTROLLER_GEN): # Build controller-gen from tools folder.
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER)

Expand Down Expand Up @@ -1300,6 +1327,9 @@ $(GINKGO): # Build ginkgo from tools folder.
$(GOLANGCI_LINT): # Build golangci-lint from tools folder.
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)

$(GOVULNCHECK): # Build govulncheck.
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)

## --------------------------------------
## Helpers
## --------------------------------------
Expand Down
2 changes: 1 addition & 1 deletion docs/release/release-tasks.md
Original file line number Diff line number Diff line change
Expand Up @@ -426,7 +426,7 @@ While we add test coverage for the new release branch we will also drop the test
3. Remove tests for old release branches according to our policy documented in [Support and guarantees](../../CONTRIBUTING.md#support-and-guarantees)
For example, let's assume we just created tests for v1.4, then we can now drop test coverage for the release-1.1 branch.
4. Verify the jobs and dashboards a day later by taking a look at: `https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api-1.4`
5. Update `.github/workflows/weekly-image-scan.yaml` - to setup Trivy scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches.
5. Update `.github/workflows/weekly-security-scan.yaml` - to setup Trivy and govulncheck scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches.
Prior art:
Expand Down

0 comments on commit 3d39d99

Please sign in to comment.