diff --git a/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml b/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml index 11668b7ee6f0..57ddb149510f 100644 --- a/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml +++ b/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml @@ -11,10 +11,11 @@ periodics: decorate: true extra_refs: - org: kubernetes - repo: kubernetes - base_ref: master - path_alias: k8s.io/kubernetes + repo: sig-security + base_ref: main + workdir: true spec: + serviceAccountName: k8s-snyk-scan containers: - image: golang envFrom: @@ -22,68 +23,9 @@ periodics: # secret key should be defined as SNYK_TOKEN name: snyk-token command: - - /bin/bash - args: - - -c - - | - set -euo pipefail - apt update && apt -y install jq - wget -q -O /usr/local/bin/snyk https://static.snyk.io/cli/latest/snyk-linux && chmod +x /usr/local/bin/snyk - mkdir -p "${ARTIFACTS}" - if [ -z "${SNYK_TOKEN}" ]; then - echo "SNYK_TOKEN env var is not set, required for snyk scan" - exit 1 - fi - echo "Running snyk scan .." - EXIT_CODE=0 - RESULT_UNFILTERED=$(snyk test -d --json) || EXIT_CODE=$? - if [ $EXIT_CODE -gt 1 ]; then - echo "Failed to run snyk scan with exit code $EXIT_CODE " - exit 1 - fi - RESULT=$(echo $RESULT_UNFILTERED | jq \ - '{vulnerabilities: .vulnerabilities | map(select((.type != "license") and (.version != "0.0.0"))) | select(length > 0) }') - if [[ ${RESULT} ]]; then - CVE_IDs=$(echo $RESULT | jq '.vulnerabilities[].identifiers.CVE | unique[]' | sort -u) - #convert string to array - CVE_IDs_array=(`echo ${CVE_IDs}`) - #TODO:Implement deduplication of CVE IDs in future - for i in "${CVE_IDs_array[@]}" - do - if [[ "$i" == *"CVE"* ]]; then - #Look for presence of GitHub Issues for detected CVEs. If no issues are present, this CVE needs triage - #Once the job fails, CVE is triaged by SIG Security and a tracking issue is created. - #This will allow in the next run for the job to pass again - TOTAL_COUNT=$(curl -H "Accept: application/vnd.github.v3+json" "https://api.github.com/search/issues?q=repo:kubernetes/kubernetes+${i}" | jq .total_count) - if [[ $TOTAL_COUNT -eq 0 ]]; then - echo "Vulnerability filtering failed" - exit 1 - fi - fi - done - fi - echo "Build time dependency scan completed" - - # container images scan - echo "Fetch the list of k8s images" - curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep "SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' > images - while read image; do - echo "Running container image scan.." - EXIT_CODE=0 - RESULT_UNFILTERED=$(snyk container test $image -d --json) || EXIT_CODE=$? - if [ $EXIT_CODE -gt 1 ]; then - echo "Failed to run snyk scan with exit code $EXIT_CODE . Error message: $RESULT_UNFILTERED" - exit 1 - fi - RESULT=$(echo $RESULT_UNFILTERED | jq \ - '{vulnerabilities: .vulnerabilities | map(select(.isUpgradable == true or .isPatchable == true)) | select(length > 0) }') - if [[ ${RESULT} ]]; then - echo "Vulnerability filtering failed" - # exit 1 (To allow other images to be scanned even if one fails) - else - echo "Scan completed image $image" - fi - done < images + - sh + - "-c" + - "cd sig-security-tooling/scanning/ && ./build-deps-and-release-images.sh" annotations: testgrid-create-test-group: "true" testgrid-alert-email: security-tooling-private@kubernetes.io