etcd Add image scan script

Introduce a new script that can run on stable branches that checks the vulnerabilities for the latest tag (from the given branch).

Adds Trivy as a tool dependency, to keep track of the latest released version.

A periodic Prow job will later execute this. We'll get alerts when a CVE is found in our images, either by a direct vulnerability or for a dependency with a reported vulnerability of high or critical severity.

Part of #19363.

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

Apr 26 '25 06:04 ivanvc

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ivanvc Once this PR has been reviewed and has the lgtm label, please assign spzala for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

Apr 26 '25 06:04 k8s-ci-robot

Oof, inconsistent dependencies. I'll draft and will undraft once I address those :sweat_smile:.

Apr 26 '25 07:04 ivanvc

/test pull-etcd-verify

Apr 27 '25 04:04 ivanvc

Adding Trivy as a tool bumped many indirect dependencies, resulting in changes to many go.mods.

Apr 27 '25 04:04 ivanvc

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 68.78%. Comparing base (4fec4ca) to head (6461725). :warning: Report is 797 commits behind head on main.

Additional details and impacted files

see 21 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #19804      +/-   ##
==========================================
- Coverage   68.86%   68.78%   -0.08%     
==========================================
  Files         421      421              
  Lines       35863    35858       -5     
==========================================
- Hits        24696    24664      -32     
- Misses       9746     9764      +18     
- Partials     1421     1430       +9

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update aa8238f...6461725. Read the comment docs.

:rocket: New features to boost your workflow:

:snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Apr 27 '25 05:04 codecov[bot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Apr 27 '25 11:04 k8s-ci-robot

My understanding is that you only introduce a new dependency on github.com/aquasecurity/trivy, could you move unrelated dependencies bumping into a separate PR to make this PR easier to review?

Apr 28 '25 10:04 ahrtr

My understanding is that you only introduce a new dependency on github.com/aquasecurity/trivy, could you move unrelated dependencies bumping into a separate PR to make this PR easier to review?

I opened https://github.com/etcd-io/etcd/pull/19819.

But I wonder if it makes more sense to open a pull request to only bump the existing dependencies without introducing Trivy. Let me know, and I can do that instead.

Edit: I opened #19821, which does the latter.

Apr 28 '25 22:04 ivanvc

@ivanvc Probably I did not say it clearly in my previous comment.

Adding dependency github.com/aquasecurity/trivy is OK, because it's required for the image scan script. It's OK to do both things (see below) in one PR,

Add dependency github.com/aquasecurity/trivy
Add image scan script

But I see that you bumped many other dependencies as well in this PR. Can you move all other dependencies bumping into a separate PR?

Apr 29 '25 08:04 ahrtr

@ahrtr, then, please take a look at #19821.

I'll close #19819, then.

Apr 29 '25 22:04 ivanvc

Please rebase this PR.

May 01 '25 17:05 ahrtr

I'll get back to this shortly. I'm a bit busy and reconsidering how we'll implement this in the stable release branches. Either way, the trivy dependency is required, so it's good that we bumped the indirect dependencies.

May 07 '25 16:05 ivanvc

@ivanvc: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci-etcd-robustness-release36-amd64	6461725759aeb09321550866c01f438008e3236d	link	true	`/test ci-etcd-robustness-release36-amd64`
ci-etcd-robustness-release35-amd64	6461725759aeb09321550866c01f438008e3236d	link	true	`/test ci-etcd-robustness-release35-amd64`
ci-etcd-robustness-release34-amd64	6461725759aeb09321550866c01f438008e3236d	link	true	`/test ci-etcd-robustness-release34-amd64`
pull-etcd-govulncheck-main	6461725759aeb09321550866c01f438008e3236d	link	true	`/test pull-etcd-govulncheck-main`
pull-etcd-govulncheck	6461725759aeb09321550866c01f438008e3236d	link	true	`/test pull-etcd-govulncheck`

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Aug 26 '25 10:08 k8s-ci-robot

etcd etcd copied to clipboard

Add image scan script

Codecov Report

etcd
etcd copied to clipboard