Merge pull request #5293 from nilo19/chore/cherry-pick-5290-1.28

chore: pin gcr.io/distroless/static to a hash value
kubernetes-sigs · Jan 17, 2024 · d4284a4 · d4284a4
2 parents 9255dd3 + 706664b
commit d4284a4
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -12,6 +12,7 @@ on:
       - 'cmd/**.go'
       - 'go.*'
       - '!vendor/**'
+      - 'health-probe-proxy/**'
   pull_request:
     branches: [ master, 'release-**' ]
     paths:
@@ -22,6 +23,7 @@ on:
       - 'cmd/**.go'
       - 'go.*'
       - '!vendor/**'
+      - 'health-probe-proxy/**'
   schedule:
     - cron: '35 12 * * 4'
 permissions:
@@ -50,8 +52,10 @@ jobs:
       - name: Build images
         run: |
           export TAG=${{ github.sha }}
+          export IMAGE_TAG=${{ github.sha }}
           make build-ccm-image
           make build-node-image-linux-amd64
+          cd health-probe-proxy && make build-health-probe-proxy-image && cd ..
 
       - name: Run Trivy scanner CCM
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # master
@@ -71,6 +75,16 @@ jobs:
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+      - name: Run Trivy scanner health-probe-proxy
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # master
+        with:
+          image-ref: 'local/health-probe-proxy:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-health-probe-proxy-linux-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
 
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # master

diff --git a/health-probe-proxy/Dockerfile b/health-probe-proxy/Dockerfile
@@ -14,6 +14,6 @@
 
 # syntax=docker/dockerfile:1
 
-FROM gcr.io/distroless/static
+FROM gcr.io/distroless/static@sha256:9be3fcc6abeaf985b5ecce59451acbcbb15e7be39472320c538d0d55a0834edc
 COPY bin/health-probe-proxy /usr/local/bin/health-probe-proxy
 ENTRYPOINT [ "/usr/local/bin/health-probe-proxy" ]