[containers/*] Trivy verification (#8)

* Add trivy verification phase to the pipeline * Fix branches in pull_request_target event Signed-off-by: Fran Mulero <fmulero@vmware.com>
2022-06-21 10:49:37 +02:00 · 2022-06-21 10:49:37 +02:00 · 9a2aaed1c4
parent cc8ad11929
commit 9a2aaed1c4
3 changed files with 54 additions and 16 deletions
--- a/.github/workflows/vib-verify.yaml
+++ b/.github/workflows/vib-verify.yaml
@ -7,8 +7,8 @@ on: # rebuild any PRs and main branch changes
      - synchronize
      - labeled
    branches:
-      - master
-      - bitnami:master
+      - main
+      - bitnami:main
 env:
  CSP_API_URL: https://console.cloud.vmware.com
  CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
--- a/.vib/vib-scheduled-verify.json
+++ b/.vib/vib-scheduled-verify.json
@ -1,12 +1,12 @@
 {
+  "context": {
+    "resources": {
+      "url": "{VIB_ENV_URL}",
+      "path": "{VIB_ENV_PATH}"
+    }
+  },
  "phases": {
    "package": {
-      "context": {
-        "resources": {
-          "url": "{VIB_ENV_URL}",
-          "path": "{VIB_ENV_PATH}"
-        }
-      },
      "actions": [
        {
          "action_id": "container-image-package",
@ -20,7 +20,26 @@
          }
        },
        {
-          "action_id": "container-image-lint"
+          "action_id": "container-image-lint",
+          "params": {
+            "threshold": "warning"
+          }
+        }
+      ]
+    },
+    "verify": {
+      "actions": [
+        {
+          "action_id": "trivy",
+          "params": {
+            "threshold": "CRITICAL",
+            "vuln_type": [
+              "OS"
+            ],
+            "application": {
+              "kind": "CONTAINER_IMAGE"
+            }
+          }
        }
      ]
    }
--- a/.vib/vib-verify.json
+++ b/.vib/vib-verify.json
@ -1,12 +1,12 @@
 {
+  "context": {
+    "resources": {
+      "url": "{SHA_ARCHIVE}",
+      "path": "{VIB_ENV_PATH}"
+    }
+  },
  "phases": {
    "package": {
-      "context": {
-        "resources": {
-          "url": "{SHA_ARCHIVE}",
-          "path": "{VIB_ENV_PATH}"
-        }
-      },
      "actions": [
        {
          "action_id": "container-image-package",
@ -20,7 +20,26 @@
          }
        },
        {
-          "action_id": "container-image-lint"
+          "action_id": "container-image-lint",
+          "params": {
+            "threshold": "warning"
+          }
+        }
+      ]
+    },
+    "verify": {
+      "actions": [
+        {
+          "action_id": "trivy",
+          "params": {
+            "threshold": "CRITICAL",
+            "vuln_type": [
+              "OS"
+            ],
+            "application": {
+              "kind": "CONTAINER_IMAGE"
+            }
+          }
        }
      ]
    }