diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 9dad98ce5..0086c0f0c 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -107,60 +107,60 @@ jobs: env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - vulnerability-scan: - permissions: - actions: read - contents: read - security-events: write - runs-on: ubuntu-latest - needs: build-operator-image-distroless - env: - SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}-distroless - steps: - - name: Set up cosign - uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 - - name: Dotenv Action - id: dotenv - uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2.5.0 - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v1 - - name: Pull Splunk Operator Image Locally - run: | - docker pull ${{ env.IMAGE_NAME }} - - name: Verify Signed Splunk Operator image - run: | - cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} - env: - COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: '${{ env.IMAGE_NAME }}' - format: sarif - #exit-code: 1 - severity: 'CRITICAL' - ignore-unfixed: true - output: 'trivy-results.sarif' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' +# vulnerability-scan: +# permissions: +# actions: read +# contents: read +# security-events: write +# runs-on: ubuntu-latest +# needs: build-operator-image-distroless +# env: +# SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} +# SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator +# ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} +# S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} +# IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}-distroless +# steps: +# - name: Set up cosign +# uses: sigstore/cosign-installer@main +# - uses: actions/checkout@v2 +# - name: Dotenv Action +# id: dotenv +# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v2.5.0 +# - name: Configure AWS credentials +# uses: aws-actions/configure-aws-credentials@v1 +# with: +# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} +# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} +# aws-region: ${{ secrets.AWS_DEFAULT_REGION }} +# +# - name: Login to Amazon ECR +# uses: aws-actions/amazon-ecr-login@v1 +# - name: Pull Splunk Operator Image Locally +# run: | +# docker pull ${{ env.IMAGE_NAME }} +# - name: Verify Signed Splunk Operator image +# run: | +# cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} +# env: +# COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: '${{ env.IMAGE_NAME }}' +# format: sarif +# #exit-code: 1 +# severity: 'CRITICAL' +# ignore-unfixed: true +# output: 'trivy-results.sarif' +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: 'trivy-results.sarif' smoke-tests-arm-ubuntu: - needs: vulnerability-scan +# needs: vulnerability-scan strategy: fail-fast: false matrix: