🌱 Run verify-security weekly as a GitHub action #429
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mboersma The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
mboersma
force-pushed
the
verify-security
branch
2 times, most recently
from
a76f7e6 to
442df18
Compare
| RELEASE_NOTES_BIN := release-notes | ||
| RELEASE_NOTES := $(TOOLS_BIN_DIR)/$(RELEASE_NOTES_BIN)-$(RELEASE_NOTES_VER) | ||
|
|
||
| TRIVY_VER := 0.64.0 |
There was a problem hiding this comment.
wouldn't it be nice if there were a way to integrate general purpose tool binary installs into dependabot? seems that's an unsolved problem https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#supported-ecosystems-and-repositories
There was a problem hiding this comment.
actually for trivy maybe we can use docker run?
(not blocking this PR, just thinking out loud)
There was a problem hiding this comment.
for trivy maybe we can use docker run?
Sure, that would probably be cleaner. I was just trying to minimize the delta between these same scripts here and in CAPI and CAPZ.
k8s-ci-robot
added
the
needs-rebase
mboersma
force-pushed
the
verify-security
branch
from
442df18 to
abf9040
Compare
k8s-ci-robot
removed
the
needs-rebase
There was a problem hiding this comment.
Pull Request Overview
This PR implements a weekly security scanning workflow for the Kubernetes cluster-api-helm project. It adds comprehensive security verification including both container image scanning and Go code vulnerability checks.
- Introduces a new
verify-securityMakefile target that runs both container image and Go vulnerability scans - Refactors Trivy installation to use a reusable script with version-specific caching
- Replaces the existing weekly scan workflow with a more comprehensive security scanning approach
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| hack/verify-container-images.sh | Simplified by delegating Trivy installation to a separate script and fixing variable references |
| hack/ensure-trivy.sh | New script that handles Trivy installation with version-specific caching |
| Makefile | Adds security verification targets and govulncheck tool configuration |
| .github/workflows/security-scan.yml | New comprehensive weekly security scan workflow |
| .github/workflows/scan.yml | Removed old scan workflow (replaced by security-scan.yml) |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| TOOL_BIN=hack/tools/bin | ||
| mkdir -p ${TOOL_BIN} |
There was a problem hiding this comment.
Variables should be quoted to handle paths with spaces. Change to TOOL_BIN="hack/tools/bin" and mkdir -p "${TOOL_BIN}".
| TOOL_BIN=hack/tools/bin | |
| mkdir -p ${TOOL_BIN} | |
| TOOL_BIN="hack/tools/bin" | |
| mkdir -p "${TOOL_BIN}" |
Copilot uses AI. Check for mistakes.
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
What this PR does / why we need it:
Adds the
make verify-securitytarget and runs it on a weekly basis. This is ported from similar code in CAPI and CAPZ.Which issue(s) this PR fixes:
Fixes #