Create security scan script

[hansinikarunarathne]

Pull Request Template for Kubeflow manifests Issues

• Please include a summary of changes and the related issue.
• List any dependencies that are required for this change.
• Please delete the options that are not relevant.
• The following checklist will help you to satisfy the requirements.

✏️ A brief description of the changes

1. I added a script for the security vulnerability scan with Trivy.

2. I added the extracting images part in the extract_images.sh to the trivy_scan.sh.

3. The script creates security scanning reports for each image in WG. Those scan reports are saved in JSON in the docs/image_lists/security_scan_reports/{WG_names} .

4. Security counts of all images related to the WG groups are saved in the docs/image_lists/severity_counts_with_images_for_WG.

5. Summary of all security scan counts is saved in the summary_of_severity_counts_for_WG as JSON and table formats.

6. Created the Github action run when PR merges to a master to automate the whole process and print the table.

7. Also can run the trivy_scan.sh file inside the hack folder manually.

✅ Contributor checklist

• [x] All the commits have been signed-off (To pass the DCO check)
• [x] Submit the Contributor License Agreements (To pass the cla/google check)

---

You can join our slack channel wg-manifests here. This link also contains our meeting schedule.

[juliusvonkohout]

Please extend and rename the extract_images script to provide all of this information at once. You can still name it trivy_scan.sh Please provide per workinggroup and total information similar to the extract_images scripts.

So trivy_scan.sh should do all of this.

For non pullable images you can just output a warning and ignore them otherwise.

[juliusvonkohout]

You need to generate per working group lists and total list and generate this table

WG1_ images.txt WG1CVEs.json WG2 images.txt WG2CVEs.json ... total images.txt total_CVEs.json

afterwards you can add a github action workflow to generate this table on merges to master.

[juliusvonkohout]

Please be aware of https://github.com/kubeflow/manifests/pull/2733

[hansinikarunarathne]

You need to generate per working group lists and total list and generate this table

WG1_ images.txt WG1CVEs.json WG2 images.txt WG2CVEs.json ... total images.txt total_CVEs.json

afterwards you can add a github action workflow to generate this table on merges to master.

I automated the trivy_scan process and created a github action to run the trivy_scanning process and print the table. You can find my github action in my forked repository of Kubeflow https://github.com/hansinikarunarathne/kubeflow-manifests/actions/runs/9431495509

screenshot of the table

[juliusvonkohout]

the dependencies should be checked and installed if not available, e.g. prettytable and trivy if someone runs this locally on ubuntu or fedora

[juliusvonkohout]

/lgtm /approve

lets follow up with the remaining stuff in a new PR.

[google-oss-prow[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubeflow/manifests/blob/master/OWNERS)~~ [juliusvonkohout] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[juliusvonkohout]

https://github.com/kubeflow/manifests/actions/runs/9463132552/job/26067629950 will be interesting.