This commit adds get-published-images-scan-and-report.yaml, a re-usable workflow
that enables repositories to scan images from a public registry (in the case
of the Analytics team it defaults to charmedkubeflow) and reports back
the security vulnerabilities as Github issues.
This workflow is intended to be used on demand (using a workflow dispatch)
and on schedule, as it will be used for continuous testing of the published
images a rock repository generates.
This re-usable workflow can be used for reporting security vulnerabilities
via Github issues. It takes the issue title, image-name, and issue-labels as
inputs, and in turn:
edits an existing issue with the same title and updates the vulnerability report
creates a new issue with the issue-title and adds the vulnerability report in the description
Please NOTE this workflow assumes the existence of vulnerability reports as artefacts
of a workflow run; that is, it expects artefacts named trivy-report- to
be present in the sabe workflow run.
This PR brings all the changes from
KF-6331-dev-branchintomain.This commit adds get-published-images-scan-and-report.yaml, a re-usable workflow that enables repositories to scan images from a public registry (in the case of the Analytics team it defaults to charmedkubeflow) and reports back the security vulnerabilities as Github issues. This workflow is intended to be used on demand (using a workflow dispatch) and on schedule, as it will be used for continuous testing of the published images a rock repository generates.
This re-usable workflow can be used for reporting security vulnerabilities via Github issues. It takes the issue title, image-name, and issue-labels as inputs, and in turn:
Please NOTE this workflow assumes the existence of vulnerability reports as artefacts of a workflow run; that is, it expects artefacts named trivy-report- to
be present in the sabe workflow run.
Bump the version of this actions to be up to date with the latest.
All changes have been tested individually in their respective PRs.