Add nightly Trivy image scans

In this PR TAS Makefile and Dockerfiles were also updated to
be able to pass golang image and go-licences version from
Makefile to Dockerfile.

Signed-off-by: Madalina Lazar <[email protected]>

Author: madalazar

.github/workflows/nightly-vulnerability-scans.yaml

@@ -0,0 +1,43 @@
+name: Nightly vulnerability scans
+
+on:
+  schedule:
+    # At 03:08 AM, every Monday, Wednesday, Friday & Sunday
+    - cron: '08 03 * * Mon,Wed,Fri,Sun'
+  workflow_dispatch:
+    inputs:
+      codeBranch:
+        description: 'Branch of the TAS repo that you want to run the workflow against'
+        required: true
+        default: 'master'
+      trivyVersion:
+        description: 'Version of Trivy that is going to be installed for the scan'
+        required: false
+        type: string
+        default: v0.48.0
+
+jobs:
+  current_branch:
+    runs-on: self-hosted
+    if: ( !contains(github.repository, '/platform-aware-scheduling'))
+    outputs:
+      extract_branch: ${{ steps.extract_branch.outputs.branch }}
+    steps:
+      - name: current branch
+        id: extract_branch
+        run: |
+          if [[ "${GITHUB_EVENT_NAME}" == "schedule" || "${GITHUB_EVENT_NAME}" == "push" ]]; then
+            echo "BRANCH=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
+          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
+            echo "BRANCH=${{ inputs.codeBranch  }}" >> $GITHUB_OUTPUT
+          else
+            echo "BRANCH=INVALID_EVENT_BRANCH_UNKNOWN" >> $GITHUB_OUTPUT
+          fi
+  trivy-images-scan:
+    uses: ./.github/workflows/trivy-image-scan.yaml
+    needs: [ current_branch  ]
+    with:
+      runson: self-hosted-kind
+      codeBranch: ${{ needs.current_branch.outputs.extract_branch }}
+      trivyVersion:  ${{ inputs.trivyVersion }}
+

.github/workflows/trivy-image-scan.yaml

@@ -0,0 +1,69 @@
+name: Trivy image scan
+
+on:
+  workflow_call:
+    inputs:
+      runson:
+        required: false
+        type: string
+        default: 'ubuntu-latest'
+      codeBranch:
+        required: false
+        type: string
+      trivyVersion:
+        required: false
+        type: string
+
+jobs:
+  image-vulnerability-scanners:
+    runs-on: ${{ inputs.runsOn }}
+    strategy:
+      matrix:
+        workingdir: [telemetry-aware-scheduling, gpu-aware-scheduling]
+    name: image-vulnerability-scanners
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@v3
+        with:
+            ref: ${{ inputs.codeBranch }}
+      - name: install Trivy
+        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ inputs.trivyVersion }}
+      - name: trivy base image scan $DIR  
+        run: |
+          cd ./${{ matrix.workingdir }}     
+          base_image_suffix=$(grep "GO_VERSION = " Makefile | cut -d " " -f 3)
+          base_image="golang:${base_image_suffix}"
+          echo "[INFO] base image name is: ${base_image}"
+          output=$(trivy image --severity HIGH,CRITICAL ${base_image} --exit-code=2)
+          if [ "${output}" -eq 2 ]; then
+            echo "::warning::severities CRITICAL, HIGH issues spotted by Trivy in ${{ matrix.workingdir }} for base image: ${base_image}"
+            exit 1
+          else
+            echo "trivy image ./ --severity=CRITICAL, HIGH  for base image: ${base_image} ran successfully"
+          fi
+          cd ..
+        shell: bash  
+      - name: make image
+        run: |
+          cd ./${{ matrix.workingdir }}
+          make image 
+          cd ..  
+      - name: trivy image scan $DIR
+        run: |
+          cd ./${{ matrix.workingdir }}
+          image_name="tasextender"
+          if [ ${{ matrix.workingdir}} -eq "gpu-aware-scheduling" ]; then
+            image_name="gpu-extender"
+          fi
+          echo "[INFO]image name is: ${image_name}"
+          output=$(trivy image --severity HIGH,CRITICAL ${image_name} --exit-code=2)
+          if [ -n "${output}" ]; then
+            echo "::warning::severities CRITICAL, HIGH issues spotted by Trivy in ${{ matrix.workingdir }} for image: ${image_name}"
+            exit 1
+          else
+            echo "trivy image ./ --severity=CRITICAL, HIGH  for image ${image_name} ran successfully"
+          fi
+          
+          cd ..
+        shell: bash
+

telemetry-aware-scheduling/Makefile

@@ -1,4 +1,6 @@
 BINARY_NAME=extender
+GO_VERSION = 1.21-alpine
+GOLICENSES_VERSION=v1.6.0
 
 .PHONY: test
 
@@ -12,7 +14,7 @@ all:  format build
 build:
 		CGO_ENABLED=0 GO111MODULE=on go build -ldflags="-s -w" -o ./bin/$(BINARY_NAME) ./cmd
 image:
-		docker build -f deploy/images/Dockerfile ../ -t tasextender
+		docker build --build-arg GOLICENSES_VERSION=$(GOLICENSES_VERSION) --build-arg GO_VERSION=$(GO_VERSION) -f deploy/images/Dockerfile ../ -t tasextender
 format:
 		gofmt -w -s .
 

telemetry-aware-scheduling/deploy/images/Dockerfile

@@ -1,13 +1,15 @@
 # Copyright (C) 2022 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-FROM golang:1.21-alpine as builder
+ARG GO_VERSION
+FROM golang:${GO_VERSION} as builder
+ARG GOLICENSES_VERSION
 COPY . /src_root
 WORKDIR /src_root/telemetry-aware-scheduling
 ENV GOFLAGS -buildvcs=false
 RUN mkdir -p /install_root/etc && adduser -D -u 10001 tas && tail -1 /etc/passwd > /install_root/etc/passwd \
     && CGO_ENABLED=0 GO111MODULE=on go build -ldflags="-s -w" -o /install_root/extender ./cmd \
-    && GO111MODULE=on go run github.com/google/go-licenses@v1.6.0 save "./cmd" --save_path /install_root/licenses
+    && GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd" --save_path /install_root/licenses
 
 FROM scratch
 WORKDIR /