Skip to content

Lacework Inline Scanner #646

Lacework Inline Scanner

Lacework Inline Scanner #646

name: Lacework Inline Scanner
on:
workflow_run:
workflows: ["Build"]
types: [completed]
branches:
- "main"
workflow_dispatch:
inputs:
version:
required: true
type: string
description: "What Gitpod version to scan for CVEs"
jobs:
create-runner:
uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
secrets:
runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }}
gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
configuration:
name: Configuration
runs-on: ${{ needs.create-runner.outputs.label }}
needs: [create-runner]
outputs:
skip: ${{ steps.configuration.outputs.skip }}
version: ${{ steps.configuration.outputs.version }}
steps:
- name: "Set outputs"
id: configuration
run: |
if [[ '${{ github.event.workflow_run.run_number }}' == '' ]]; then
# The workflow was triggered by workflow_dispatch
{
echo "version=${{ github.event.inputs.version }}"
echo "skip=false"
} >> $GITHUB_OUTPUT
else
# The workflow was triggered by workflow_run
{
echo "version=main-gha.${{ github.event.workflow_run.run_number }}"
echo "skip=${{ github.event.workflow_run.conclusion == 'failure' }}"
} >> $GITHUB_OUTPUT
fi
scan-images:
name: Scan all docker images for CVEs
# TODO(gpl) Could easily be run on ubuntu:latest if we pushed some bash in lw-scan-images.sh into the installer
runs-on: ${{ needs.create-runner.outputs.label }}
needs: [configuration,create-runner]
if: ${{ needs.configuration.outputs.skip == 'false' }}
container:
image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:aledbf-leeway-pigz-gha.18593
steps:
# Most of this is taken over from the Build workflow/preview-env-check-regressions workflow
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-environment
with:
sa_key: ${{ secrets.GCP_CREDENTIALS }}
leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }}
- name: Get Secrets from GCP
id: "secrets"
uses: "google-github-actions/get-secretmanager-secrets@v1"
with:
secrets: |-
lacework-access-token:gitpod-core-dev/lacework-access-token
- name: Lacework Inline Scanner
id: lacework-inline-scanner
shell: bash
env:
VERSION: ${{needs.configuration.outputs.version}}
LW_ACCESS_TOKEN: "${{ steps.secrets.outputs.lacework-access-token }}"
# TODO(gpl) See docker.io access above
EXCLUDE_DOCKER_IO: true
run: |
$GITHUB_WORKSPACE/scripts/lw-scan-images.sh
delete-runner:
if: always()
needs:
- create-runner
- configuration
- scan-images
uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main
secrets:
gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
with:
runner-label: ${{ needs.create-runner.outputs.label }}
machine-zone: ${{ needs.create-runner.outputs.machine-zone }}