Extended the Trivy scan for N-2 Kyverno versions (#8903)

* closes #8840 Signed-off-by: Pushkar Mishra <pushkarmishra029@gmail.com> * fixed Signed-off-by: Pushkar Mishra <pushkarmishra029@gmail.com> * fix Signed-off-by: Pushkar Mishra <pushkarmishra029@gmail.com> --------- Signed-off-by: Pushkar Mishra <pushkarmishra029@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-29 02:45:06 +00:00 · 2023-12-19 18:31:40 +05:30 · 2023-12-19 18:31:40 +05:30 · a3b358b78a
commit a3b358b78a
parent 818ee8b32d
1 changed files with 39 additions and 4 deletions
--- a/.github/workflows/report-on-vulnerabilities.yaml
+++ b/.github/workflows/report-on-vulnerabilities.yaml
@ -16,15 +16,50 @@ jobs:
    runs-on: ubuntu-latest
    outputs:
      results: ${{ steps.parse-results.outputs.results }}
-    steps:
-    - name: Scan for vulnerabilities
-      uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # v0.8.0 (Trivy v0.34.0)
+    steps:    
+    - name: Get Branches Name
+      id: get-branches
+      run: |
+        all_branches=$(curl -s https://api.github.com/repos/${{ env.IMAGE_NAME }}/branches | jq -r '.[].name | select(startswith("release-"))' | sort -rV | head -n 2)
+        releasebranch1=$(echo "$all_branches" | sed -n 1p)
+        releasebranch2=$(echo "$all_branches" | sed -n 2p)
+
+        echo "releasebranch1=$releasebranch1" >> $GITHUB_OUTPUT
+        echo "releasebranch2=$releasebranch2" >> $GITHUB_OUTPUT
+    
+    - name: Scan for vulnerabilities in latest image
+      uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.8.0 (Trivy v0.34.0)
+
      with: 
        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
        format: json
        ignore-unfixed: false
        severity: HIGH,CRITICAL
-        output: scan.json
+        output: scan1.json
+
+    - name: Scan for vulnerabilities in latest-1 image
+      uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.8.0 (Trivy v0.34.0)
+      with: 
+        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch1 }}
+        format: json
+        ignore-unfixed: false
+        severity: HIGH,CRITICAL
+        output: scan2.json
+
+    - name: Scan for vulnerabilities in latest-2 image
+      uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.8.0 (Trivy v0.34.0)
+      with: 
+        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch2 }}
+        format: json
+        ignore-unfixed: false
+        severity: HIGH,CRITICAL
+        output: scan3.json
+
+    - name: Merge scan results
+      id: merge-results
+      run: |
+        jq -s add scan1.json scan2.json scan3.json > scan.json
+        cat scan.json

    - name: Parse scan results
      id: parse-results