k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml

k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml (about)

     1  periodics:
     2  #  Periodic CI job for running snyk scans against k/k master
     3  # - It installs snyk CLI and requires 'snyk-token' secret available
     4  #   in test infra with key name 'SNYK_TOKEN'. This secret is used to
     5  #   populate env var 'SNYK_TOKEN', required for snyk CLI auth.
     6  # - Licenses and few false positive deps (eg version '0.0.0') are
     7  #   filtered from the snyk scan results.
     8  - name: ci-kubernetes-snyk-master
     9    interval: 6h
    10    cluster: k8s-infra-prow-build-trusted
    11    decorate: true
    12    extra_refs:
    13    - org: kubernetes
    14      repo: kubernetes
    15      base_ref: master
    16      path_alias: k8s.io/kubernetes
    17    spec:
    18      containers:
    19      - image: golang
    20        envFrom:
    21        - secretRef:
    22            # secret key should be defined as SNYK_TOKEN
    23            name: snyk-token
    24        command:
    25        - /bin/bash
    26        args:
    27        - -c
    28        - |
    29          set -euo pipefail
    30          apt update && apt -y install jq
    31          wget -q -O /usr/local/bin/snyk https://static.snyk.io/cli/latest/snyk-linux && chmod +x /usr/local/bin/snyk
    32          mkdir -p "${ARTIFACTS}"
    33          if [ -z "${SNYK_TOKEN}" ]; then
    34            echo "SNYK_TOKEN env var is not set, required for snyk scan"
    35            exit 1
    36          fi
    37          echo "Running snyk scan .."
    38          EXIT_CODE=0
    39          RESULT_UNFILTERED=$(snyk test -d --json) || EXIT_CODE=$?
    40          if [ $EXIT_CODE -gt 1 ]; then
    41            echo "Failed to run snyk scan with exit code $EXIT_CODE "
    42            exit 1
    43          fi
    44          RESULT=$(echo $RESULT_UNFILTERED | jq \
    45          '{vulnerabilities: .vulnerabilities | map(select((.type != "license") and (.version !=  "0.0.0"))) | select(length > 0) }')
    46          if [[ ${RESULT} ]]; then
    47            CVE_IDs=$(echo $RESULT | jq '.vulnerabilities[].identifiers.CVE | unique[]' | sort -u)
    48            #convert string to array
    49            CVE_IDs_array=(`echo ${CVE_IDs}`)
    50            #TODO:Implement deduplication of CVE IDs in future
    51            for i in "${CVE_IDs_array[@]}"
    52            do
    53                if [[ "$i" == *"CVE"* ]]; then
    54                    #Look for presence of GitHub Issues for detected CVEs. If no issues are present, this CVE needs triage
    55                    #Once the job fails, CVE is triaged by SIG Security and a tracking issue is created.
    56                    #This will allow in the next run for the job to pass again
    57                    TOTAL_COUNT=$(curl -H "Accept: application/vnd.github.v3+json" "https://api.github.com/search/issues?q=repo:kubernetes/kubernetes+${i}" | jq .total_count)
    58                    if [[ $TOTAL_COUNT -eq 0 ]]; then
    59                      echo "Vulnerability filtering failed"
    60                      exit 1
    61                    fi
    62                fi
    63            done
    64          fi
    65          echo "Build time dependency scan completed"
    66  
    67          # container images scan
    68          echo "Fetch the list of k8s images"
    69          curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep "SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' > images
    70          while read image; do
    71            echo "Running container image scan.."
    72            EXIT_CODE=0
    73            RESULT_UNFILTERED=$(snyk container test $image -d --json) || EXIT_CODE=$?
    74            if [ $EXIT_CODE -gt 1 ]; then
    75              echo "Failed to run snyk scan with exit code $EXIT_CODE . Error message: $RESULT_UNFILTERED"
    76              exit 1
    77            fi
    78            RESULT=$(echo $RESULT_UNFILTERED | jq \
    79            '{vulnerabilities: .vulnerabilities | map(select(.isUpgradable == true or .isPatchable == true)) | select(length > 0) }')
    80            if [[ ${RESULT} ]]; then
    81              echo "Vulnerability filtering failed"
    82              # exit 1 (To allow other images to be scanned even if one fails)
    83            else
    84              echo "Scan completed image $image"
    85            fi
    86          done < images
    87    annotations:
    88      testgrid-create-test-group: "true"
    89      testgrid-alert-email: security-tooling-private@kubernetes.io
    90      testgrid-num-failures-to-alert: '1'
    91      testgrid-dashboards: sig-security-snyk-scan
    92      description: Run snyk scan on k/k master periodically
    93  - name: auto-refreshing-official-cve-feed
    94    interval: 2h
    95    cluster: k8s-infra-prow-build-trusted
    96    decorate: true
    97    extra_refs:
    98    - org: kubernetes
    99      repo: sig-security
   100      base_ref: main
   101      workdir: true
   102    labels:
   103      preset-service-account: "true"
   104    spec:
   105      serviceAccountName: k8s-cve-feed
   106      containers:
   107      - image: gcr.io/k8s-staging-test-infra/gcloud-in-go:v20230111-cd1b3caf9c
   108        command:
   109        - sh
   110        - "-c"
   111        - "cd sig-security-tooling/cve-feed/hack/ && ./fetch-cve-feed.sh"
   112        env:
   113        - name: CVE_GCS_PATH
   114          value: "gs://k8s-cve-feed"
   115    annotations:
   116      testgrid-create-test-group: "true"
   117      testgrid-alert-email: security-tooling-private@kubernetes.io
   118      testgrid-num-failures-to-alert: '1'
   119      testgrid-dashboards: sig-security-cve-feed
   120      description: Auto refreshing official cve feed KEP 3203