Skip to content

Commit

Permalink
Move Trivy and Tics tests to separate scripts
Browse files Browse the repository at this point in the history
We're moving the Trivy and Tics test logic to separate scripts,
simplifying the GH workflows and allowing these tests to be invoked
locally.
  • Loading branch information
petrutlucian94 committed Dec 31, 2024
1 parent 77b8816 commit 7eeaa34
Show file tree
Hide file tree
Showing 4 changed files with 76 additions and 59 deletions.
31 changes: 1 addition & 30 deletions .github/workflows/nightly-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,35 +73,6 @@ jobs:
working-directory: src/k8s
run: go mod download
- name: TICS scan
# TODO: move the following to a script.
run: |
export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }}
set -x
# Install python dependencies
pip install -r tests/integration/requirements-test.txt
pip install -r tests/integration/requirements-dev.txt
cd src/k8s
# TICS requires us to have the test results in cobertura xml format under the
# directory use below
sudo make go.unit
go install github.com/boumenot/gocover-cobertura@latest
gocover-cobertura < coverage.txt > coverage.xml
mkdir .coverage
mv ./coverage.xml ./.coverage/
# Install the TICS and staticcheck
go install honnef.co/go/tools/cmd/[email protected]
. <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
# We need to have our project built
# We load the dqlite libs here instead of doing through make because TICS
# will try to build parts of the project itself
sudo add-apt-repository -y ppa:dqlite/dev
sudo apt install dqlite-tools-v2 libdqlite1.17-dev
sudo make clean
go build -a ./...
TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $HOME/work/k8s-snap/k8s-snap/
tests/tics-scan.sh
31 changes: 2 additions & 29 deletions .github/workflows/security-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,36 +45,9 @@ jobs:
ref: ${{ inputs.checkout-ref }}
# Persist downloaded artifacts
clean: 'false'
# TODO: move the following steps to a separate script
- name: Setup Trivy vulnerability scanner
- name: Run Trivy vulnerability scanner
run: |
mkdir -p manual-trivy/sarifs
pushd manual-trivy
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}');
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
popd
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
ignore-unfixed: true
format: "sarif"
output: "trivy-k8s-repo-scan--results.sarif"
severity: "MEDIUM,HIGH,CRITICAL"
env:
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
- name: Gather Trivy repo scan results
run: |
cp trivy-k8s-repo-scan--results.sarif ./manual-trivy/sarifs/
- name: Run Trivy vulnerability scanner on the snap
run: |
for var in $(env | grep -o '^TRIVY_[^=]*'); do
unset "$var"
done
cp ${{ steps.download-snap.outputs.snap-path }} ./k8s-test.snap
unsquashfs k8s-test.snap
./manual-trivy/trivy --db-repository public.ecr.aws/aquasecurity/trivy-db rootfs ./squashfs-root/ --format sarif > ./manual-trivy/sarifs/snap.sarif
./tests/trivy-scan.sh ${{ steps.download-snap.outputs.snap-path }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
Expand Down
34 changes: 34 additions & 0 deletions tests/tics-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#!/usr/bin/env bash

SCRIPT_DIR=$(dirname "$BASH_SOURCE")

set -ex
cd "${SCRIPT_DIR}/.."

# Install python dependencies
pip install -r tests/integration/requirements-test.txt
pip install -r tests/integration/requirements-dev.txt

cd src/k8s

# TICS requires us to have the test results in cobertura xml format under the
# directory use below
sudo make go.unit
go install github.com/boumenot/gocover-cobertura@latest
gocover-cobertura < coverage.txt > coverage.xml
mkdir -p .coverage
mv ./coverage.xml ./.coverage/

# Install the TICS and staticcheck
go install honnef.co/go/tools/cmd/[email protected]
. <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')

# We need to have our project built
# We load the dqlite libs here instead of doing through make because TICS
# will try to build parts of the project itself
sudo add-apt-repository -y ppa:dqlite/dev
sudo apt install dqlite-tools-v2 libdqlite1.17-dev
sudo make clean
go build -a ./...

TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $HOME/work/k8s-snap/k8s-snap/
39 changes: 39 additions & 0 deletions tests/trivy-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env bash

SCRIPT_DIR=$(dirname "$BASH_SOURCE")

set -ex
cd "${SCRIPT_DIR}/.."

SNAP_PATH="$1"
if [[ ! -f $SNAP_PATH ]]; then
echo "Usage: $0 <snap_path>"
exit 1
fi

# Setup Trivy vulnerability scanner
mkdir -p manual-trivy/sarifs
pushd manual-trivy
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}');
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
popd

# Run Trivy vulnerability scanner in repo mode
./manual-trivy/trivy fs . \
--format sarif \
--db-repository public.ecr.aws/aquasecurity/trivy-db \
--severity "MEDIUM,HIGH,CRITICAL" \
--ignore-unfixed \
> ./manual-trivy/sarifs/trivy-k8s-repo-scan--results.sarif

for var in $(env | grep -o '^TRIVY_[^=]*'); do
unset "$var"
done
cp "${SNAP_PATH}" ./k8s-test.snap
rm -rf ./squashfs-root
unsquashfs k8s-test.snap
./manual-trivy/trivy rootfs ./squashfs-root/ \
--format sarif \
--db-repository public.ecr.aws/aquasecurity/trivy-db \
> ./manual-trivy/sarifs/snap.sarif

0 comments on commit 7eeaa34

Please sign in to comment.