chore: Bump k8s.io/apimachinery from 0.33.6 to 0.33.7 #4388
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: scan_vulns | |
| on: | |
| push: | |
| paths-ignore: | |
| - "docs/**" | |
| - "library/**" | |
| - "**.md" | |
| pull_request: | |
| paths-ignore: | |
| - "docs/**" | |
| - "library/**" | |
| - "**.md" | |
| schedule: | |
| - cron: "30 8 * * 0" # early morning (08:30 UTC) every Sunday | |
| workflow_dispatch: | |
| permissions: read-all | |
| jobs: | |
| govulncheck: | |
| name: "Run govulncheck" | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.22" | |
| check-latest: true | |
| - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 | |
| scan_vulnerabilities: | |
| name: "[Trivy] Scan for vulnerabilities" | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 15 | |
| env: | |
| TRIVY_VERSION: 0.58.2 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: audit | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Download trivy | |
| run: | | |
| pushd $(mktemp -d) | |
| wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz | |
| tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz | |
| echo "$(pwd)" >> $GITHUB_PATH | |
| - name: Restore Trivy cache | |
| uses: ./.github/actions/restore_trivy_cache | |
| - name: Run trivy on git repository | |
| run: | | |
| trivy fs --skip-db-update --format table --ignore-unfixed --scanners vuln . | |
| - name: Build docker images | |
| run: | | |
| make build-local-ratify-gatekeeper-provider-image | |
| - name: Run trivy on images for all severity | |
| run: | | |
| trivy image --skip-db-update --ignore-unfixed --vuln-type="os,library" "localbuild:test" | |
| - name: Run trivy on images and exit on HIGH/CRITICAL severity | |
| run: | | |
| trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "localbuild:test" |