🌱 Add weekly security scan using govulncheck and Trivy

[lentzi90]

What this PR does / why we need it:

This adds a github workflow that runs the govulncheck and trivy.
It is all copied and adapted from CAPI (hence the existing licenses at the top).
We may want to think about how to notify maintainers of this.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• if necessary:
  • includes documentation
  • adds unit tests

/hold

[netlify]

👷 Deploy Preview for kubernetes-sigs-cluster-api-openstack processing.

Name	Link
🔨 Latest commit	7cfdcfc
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/681cd490a65e930007181e12

[mnaser]

We can simplify this a lot by just using the official action:

https://google.github.io/osv-scanner/github-action/

It takes care of everything for us and maintained by the team behind it, thoughts?

[lentzi90]

Oh I wasn't aware of that one actually! I asked around a bit and it turns out we did use it before in CAPM3. Unfortunately we had issues with it around the go version and dependabot updates. I'm open to try it though, perhaps the issues are solved.

Another thing I was thinking about is if we should rather copy what CAPI does. They run govulncheck directly through a workflow and some make targets.
What do you think?

[mnaser]

So, I did a bit of research on how the different projects are doing this, the common thing that I found across all of them is that they use and run Trivy & some have govulncheck in addition. CAPI approach seems to be the most commonly shared across most components.

cluster-api-provider-azure

• Makefile target in a weekly scan
• Runs Trivy

cluster-api-provider-aws

• Makefile target in a weekly scan
• Runs Trivy

cluster-api-provider-vsphere

• Makefile target in a weekly scan
• Runs Trivy

cluster-api-provider-gcp

• Didn't find any scanning

cluster-api-provider-ibmcloud

• Makefile target in a weekly scan
• Runs Trivy
• Runs govulncheck

[lentzi90]

Thanks! Then I will rework this to follow CAPI 🙂

[lentzi90]

 hack/tools/bin/govulncheck-v1.1.4 ./... && R1=$? || R1=$?; \
hack/tools/bin/govulncheck-v1.1.4 -C "hack/tools" ./... && R2=$? || R2=$?; \
if [ "$R1" -ne "0" ] || [ "$R2" -ne "0" ]; then \
	exit 1; \
fi
No vulnerabilities found.
No vulnerabilities found. 

The normal test will run govulncheck also but not trivy to scan images.

[lentzi90]

/hold cancel

[mdbooth]

Nice! Running this locally seems to be recommending a bump to Go 1.23.8.

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mdbooth, mnaser

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mdbooth]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lentzi90]

Nice! Running this locally seems to be recommending a bump to Go 1.23.8.

Thanks! Yes, this is also why I pushed #2539 yesterday 🙂

[lentzi90]

Hmm netlify checks seems stuck
/retest

[lentzi90]

Ok I'm just going to merge this now. The netlify check has been stuck for 4 days

[lentzi90]

/cherry-pick release-0.12 release-0.11 release-0.10

[k8s-infra-cherrypick-robot]

@lentzi90: new pull request created: #2543

In response to this:

/cherry-pick release-0.12 release-0.11 release-0.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.