Skip to content

Upstream vulnerability scan #12

Upstream vulnerability scan

Upstream vulnerability scan #12

name: Upstream CVE scan
on:
workflow_dispatch:
schedule:
- cron: '00 3 * * 1-5'
permissions:
contents: read
jobs:
get-controllers:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
sc: ${{ steps.version.outputs.sc }}
kc: ${{ steps.version.outputs.kc }}
hc: ${{ steps.version.outputs.hc }}
nc: ${{ steps.version.outputs.nc }}
irc: ${{ steps.version.outputs.irc }}
iac: ${{ steps.version.outputs.iac }}
steps:
- name: Setup Flux
uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 #v2.2.2
- name: Export controllers version
shell: bash
id: version
run: |
FLUX_IMAGES="flux-images-$(flux -v | awk '{print $3}').txt"
flux install \
--components-extra=image-reflector-controller,image-automation-controller \
--export | grep 'ghcr.io/' | awk '{print $2}' > "${FLUX_IMAGES}"
sc=$(awk 'NR==1{print $1}' "${FLUX_IMAGES}")
kc=$(awk 'NR==2{print $1}' "${FLUX_IMAGES}")
hc=$(awk 'NR==3{print $1}' "${FLUX_IMAGES}")
nc=$(awk 'NR==4{print $1}' "${FLUX_IMAGES}")
irc=$(awk 'NR==5{print $1}' "${FLUX_IMAGES}")
iac=$(awk 'NR==6{print $1}' "${FLUX_IMAGES}")
echo "sc=${sc}" >> $GITHUB_OUTPUT
echo "kc=${kc}" >> $GITHUB_OUTPUT
echo "hc=${hc}" >> $GITHUB_OUTPUT
echo "nc=${nc}" >> $GITHUB_OUTPUT
echo "irc=${irc}" >> $GITHUB_OUTPUT
echo "iac=${iac}" >> $GITHUB_OUTPUT
scan-controllers:
needs: [get-controllers]
permissions:
contents: read
packages: read
uses: ./.github/workflows/scan-controllers.yaml
with:
sc: ${{ needs.get-controllers.outputs.sc }}
kc: ${{ needs.get-controllers.outputs.kc }}
hc: ${{ needs.get-controllers.outputs.hc }}
nc: ${{ needs.get-controllers.outputs.nc }}
irc: ${{ needs.get-controllers.outputs.irc }}
iac: ${{ needs.get-controllers.outputs.iac }}
secrets:
pull-token: ${{ secrets.GHCR_READONLY }}