Daily scan images should only fail for vulnerabilities in images we m…

…aintain
nate-credoai · Oct 12, 2022 · f0ec255 · f0ec255
1 parent 44167e1
commit f0ec255
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/.github/workflows/daily-scan-images.yaml b/.github/workflows/daily-scan-images.yaml
@@ -34,7 +34,9 @@ jobs:
       - name: "Write Trivy ignore file"
         run: if [ -n '${{ matrix.trivyignore }}' ]; then echo '${{ matrix.trivyignore }}' | base64 -d > .trivyignore.rego ; fi
       - name: "Generate artifact"
+        id: trivy
         uses: aquasecurity/[email protected]
+        continue-on-error: ${{ ! matrix.maintainer }}
         with:
           image-ref: ${{ matrix.image }}
           vuln-type: 'os'
@@ -46,13 +48,14 @@ jobs:
           exit-code: '1'
       - name: "Upload artifact"
         uses: actions/upload-artifact@v3
-        if: ${{ failure() }}
+        if: ${{ always() && steps.trivy.outcome == 'failure' }}
         with:
           name: ${{ matrix.addon }}-${{ matrix.version }}-${{ matrix.name }}
           path: trivy.json
       - name: "Display results"
         uses: aquasecurity/[email protected]
-        if: ${{ failure() }}
+        if: ${{ always() && steps.trivy.outcome == 'failure' }}
+        continue-on-error: ${{ ! matrix.maintainer }}
         with:
           image-ref: ${{ matrix.image }}
           vuln-type: 'os'

diff --git a/bin/scan-images/addons.js b/bin/scan-images/addons.js
@@ -5,6 +5,15 @@ const skipAddons = [
     "rookupgrade",
 ];
 
+// maintainerImages contains a list of images we maintain.
+// The scan action will only report failures for images in this list.
+const maintainerImages = {
+    ekco: ["ekco", "haproxy"],
+    registry: ["s3cmd"],
+    velero: ["local-volume-provider", "s3cmd"],
+    weave: ["weave-kube", "weave-npc", "weaveexec"],
+};
+
 var getImages = rootDir => {
     const images = [];
     fs.readdirSync(rootDir).forEach((addon) => {
@@ -37,16 +46,22 @@ var getImages = rootDir => {
                 if (parts[0] !== 'image') {
                     return;
                 }
+                const name = parts[1];
                 let imageName = parts[2];
                 if (imageName.split('/').length === 1) {
                     imageName = `library/${imageName}`
                 }
+                let maintainer = false;
+                if (maintainerImages[addon] && maintainerImages[addon].includes(name)) {
+                    maintainer = true;
+                }
                 const image = {
                     addon: addon,
                     version: version,
-                    name: parts[1],
+                    name: name,
                     image: imageName,
                     trivyignore: trivyignore,
+                    maintainer: maintainer,
                 };
                 images.push(image);
             });