Skip to content
.github/workflows/release-vulnerability-check.yaml

Patch release v1.14.1 #18

Sign in to view logs

Patch release v1.14.1

Patch release v1.14.1 #18

Workflow file for this run

.github/workflows/release-vulnerability-check.yaml at c0d40f4
name: Release Vulnerability Check

Check failure on line 1 in .github/workflows/release-vulnerability-check.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/release-vulnerability-check.yaml

Invalid workflow file 

(Line: 59, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '', (Line: 99, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '', (Line: 133, Col: 13): Unrecognized named-value: 'secrets'. Located at position 14 within expression: failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != ''
on:
workflow_dispatch: {}
schedule:
- cron: '0 8 * * 0-4' # Sun-Thu, at 8:00 UTC
permissions:
contents: read
jobs:
fetch-release-info:
name: Fetch release information
runs-on: ubuntu-24.04
outputs:
release_tag: ${{ steps.release.outputs.release_tag }}
docker_tag: ${{ steps.release.outputs.docker_tag }}
steps:
- name: Fetch latest release tag
id: release
run: |
LATEST_RELEASE=$(curl -s https://api.github.com/repos/open-policy-agent/opa/releases/latest | jq -r .tag_name)
# Remove 'v' prefix for Docker tag
DOCKER_TAG=${LATEST_RELEASE#v}
echo "release_tag=${LATEST_RELEASE}" >> $GITHUB_OUTPUT
echo "docker_tag=${DOCKER_TAG}" >> $GITHUB_OUTPUT
echo "### 🔍 Release Vulnerability Checks" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Checking vulnerabilities for:" >> $GITHUB_STEP_SUMMARY
echo "- **Release**: [${LATEST_RELEASE}](https://github.com/open-policy-agent/opa/releases/tag/${LATEST_RELEASE})" >> $GITHUB_STEP_SUMMARY
echo "- **Docker Images**:" >> $GITHUB_STEP_SUMMARY
echo " - [\`openpolicyagent/opa:${DOCKER_TAG}-static\`](https://hub.docker.com/r/openpolicyagent/opa/tags?name=${DOCKER_TAG}-static)" >> $GITHUB_STEP_SUMMARY
echo " - [\`openpolicyagent/opa:${DOCKER_TAG}-envoy\`](https://hub.docker.com/r/openpolicyagent/opa/tags?name=${DOCKER_TAG}-envoy)" >> $GITHUB_STEP_SUMMARY
govulncheck-latest-release:
name: Go vulnerability check (latest release)
runs-on: ubuntu-24.04
needs: fetch-release-info
steps:
- name: Check out latest release
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ needs.fetch-release-info.outputs.release_tag }}
persist-credentials: false
- id: go_version
name: Read go version
run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT
- name: Install Go (${{ steps.go_version.outputs.go_version }})
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ steps.go_version.outputs.go_version }}
- run: go install golang.org/x/vuln/cmd/govulncheck@latest
- run: govulncheck ./...
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Vulnerabilities found in latest release: ${{ needs.fetch-release-info.outputs.release_tag }}\nWorkflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}
trivy-scan-release-images:
name: Trivy security scan (release images)
runs-on: ubuntu-24.04
needs: fetch-release-info
steps:
- name: Run Trivy scan on static image
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
with:
image-ref: 'openpolicyagent/opa:${{ needs.fetch-release-info.outputs.docker_tag }}-static'
format: table
exit-code: '1'
ignore-unfixed: true
vuln-type: os,library
severity: CRITICAL,HIGH
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Run Trivy scan on envoy image
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
with:
image-ref: 'openpolicyagent/opa:${{ needs.fetch-release-info.outputs.docker_tag }}-envoy'
format: table
exit-code: '1'
ignore-unfixed: true
vuln-type: os,library
severity: CRITICAL,HIGH
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Image vulnerabilities found in latest release: ${{ needs.fetch-release-info.outputs.release_tag }}\nWorkflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}
trivy-scan-release-repo:
name: Trivy security scan (latest release repo)
runs-on: ubuntu-24.04
needs: fetch-release-info
steps:
- name: Checkout latest release
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ needs.fetch-release-info.outputs.release_tag }}
persist-credentials: false
- name: Run Trivy scan on repo
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
with:
scan-type: fs
format: table
exit-code: '1'
ignore-unfixed: true
skip-dirs: vendor/,docs/
severity: CRITICAL,HIGH
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Slack Notification
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
if: ${{ failure() && secrets.SLACK_NOTIFICATION_WEBHOOK != '' }}
with:
webhook: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "Repository vulnerabilities found in latest release: ${{ needs.fetch-release-info.outputs.release_tag }}\nWorkflow `${{ github.workflow }}` in `${{ github.repository }}` failed with status: ${{ job.status }}"
}