add security scan

.github/workflows/release.yaml

@@ -10,8 +10,8 @@ jobs:
   build:
     env:
       context: "./"
-      controlplane_image_name: "openshift-capi-agent-controlplane"
-      bootstrap_image_name: "openshift-capi-agent-bootstrap"
+      controlplane_image_name: "cluster-api-controlplane-provider-openshift-assisted"
+      bootstrap_image_name: "cluster-api-bootstrap-provider-openshift-assisted"
     name: Release
     runs-on: ubuntu-latest
     steps:
@@ -26,8 +26,8 @@ jobs:
       - name: Set tags on manifests
         id: set_tag_manifests
         run: |
-          sed -i "s,quay.io/edge-infrastructure/openshift-capi-agent-bootstrap:latest,${{ secrets.REGISTRY_SERVER }}/${{ secrets.REGISTRY_NAMESPACE }}/${{ env.bootstrap_image_name }}:${{env.VERSION}}," bootstrap-components.yaml
-          sed -i "s,quay.io/edge-infrastructure/openshift-capi-agent-controlplane:latest,${{ secrets.REGISTRY_SERVER }}/${{ secrets.REGISTRY_NAMESPACE }}/${{ env.controlplane_image_name }}:${{env.VERSION}}," controlplane-components.yaml
+          sed -i "s,quay.io/edge-infrastructure/cluster-api-bootstrap-provider-openshift-assisted:latest,${{ secrets.REGISTRY_SERVER }}/${{ secrets.REGISTRY_NAMESPACE }}/${{ env.bootstrap_image_name }}:${{env.VERSION}}," bootstrap-components.yaml
+          sed -i "s,quay.io/edge-infrastructure/cluster-api-controlplane-provider-openshift-assisted:latest,${{ secrets.REGISTRY_SERVER }}/${{ secrets.REGISTRY_NAMESPACE }}/${{ env.controlplane_image_name }}:${{env.VERSION}}," controlplane-components.yaml
       - name: Login to Quay.io
         uses: docker/login-action@v3
         with:

.github/workflows/security-scan.yaml

@@ -0,0 +1,43 @@
+name: security-scan
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Security scan
+    runs-on: ubuntu-24.04
+    env:
+      CONTAINER_TAG: ${{ github.sha }}
+      CONTAINER_TOOL: docker
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Build images from Dockerfile
+        run: make docker-build-all
+      - name: Create scans folder
+        run: |
+          mkdir -p scans/
+      - name: Run Trivy vulnerability scanner for controlplane
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          image-ref: 'quay.io/edge-infrastructure/cluster-api-controlplane-provider-openshift-assisted:${{ github.sha }}'
+          trivy-config: .trivy.yaml
+          output: 'scans/trivy-results-controlplane.sarif'
+      - name: Run Trivy vulnerability scanner for bootstrap
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          image-ref: 'quay.io/edge-infrastructure/cluster-api-bootstrap-provider-openshift-assisted:${{ github.sha }}'
+          trivy-config: .trivy.yaml
+          output: 'scans/trivy-results-bootstrap.sarif'
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          scan-type: 'fs'
+          output: 'trivy-results-repo.sarif'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'scans/'

.trivy.yaml

@@ -0,0 +1,12 @@
+scan:
+  offline: true
+vulnerability:
+  ignore-unfixed: true
+severity:
+  - HIGH
+  - CRITICAL
+format: 'sarif'
+pkg:
+  types:
+    - os
+    - library

Makefile

@@ -1,7 +1,7 @@
 # provider to build
 PROVIDER ?= bootstrap
 CONTAINER_REPOSITORY_ORG ?= edge-infrastructure
-CONTAINER_REPOSITORY ?= quay.io/$(CONTAINER_REPOSITORY_ORG)/openshift-capi-agent-$(PROVIDER)
+CONTAINER_REPOSITORY ?= quay.io/$(CONTAINER_REPOSITORY_ORG)/cluster-api-$(PROVIDER)-provider-openshift-assisted
 CONTAINER_TAG ?= latest
 DIST_DIR ?= ./dist
 # Image URL to use all building/pushing image targets
@@ -102,11 +102,11 @@ run: manifests generate fmt vet ## Run a controller from your host.
 
 .PHONY: provider-docker-build
 provider-docker-build:
-	$(MAKE) docker-build-internal IMG=quay.io/$(CONTAINER_REPOSITORY_ORG)/openshift-capi-agent-$(PROVIDER):$(CONTAINER_TAG)
+	$(MAKE) docker-build-internal IMG=quay.io/$(CONTAINER_REPOSITORY_ORG)/cluster-api-$(PROVIDER)-provider-openshift-assisted:$(CONTAINER_TAG)
 
 .PHONY: provider-docker-push
 provider-docker-push:
-	$(MAKE) docker-push-internal IMG=quay.io/$(CONTAINER_REPOSITORY_ORG)/openshift-capi-agent-$(PROVIDER):$(CONTAINER_TAG)
+	$(MAKE) docker-push-internal IMG=quay.io/$(CONTAINER_REPOSITORY_ORG)/cluster-api-$(PROVIDER)-provider-openshift-assisted:$(CONTAINER_TAG)
 
 .PHONY: bootstrap-docker-build
 bootstrap-docker-build:

bootstrap-components.yaml

@@ -927,7 +927,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/edge-infrastructure/openshift-capi-agent-bootstrap:latest
+        image: quay.io/edge-infrastructure/cluster-api-bootstrap-provider-openshift-assisted:latest
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

bootstrap/config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: quay.io/edge-infrastructure/openshift-capi-agent-bootstrap
+  newName: quay.io/edge-infrastructure/cluster-api-bootstrap-provider-openshift-assisted
   newTag: latest

controlplane-components.yaml

@@ -1068,7 +1068,7 @@ spec:
         - --leader-elect
         command:
         - /manager
-        image: quay.io/edge-infrastructure/openshift-capi-agent-controlplane:latest
+        image: quay.io/edge-infrastructure/cluster-api-controlplane-provider-openshift-assisted:latest
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

controlplane/config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: quay.io/edge-infrastructure/openshift-capi-agent-controlplane
+  newName: quay.io/edge-infrastructure/cluster-api-controlplane-provider-openshift-assisted
   newTag: latest