Run trivy tests more often and improve reporting

[SgtCoDFish]

Summary

Improves Trivy security scanning frequency and TestGrid reporting for cert-manager container images.

• Increases scan frequency: Trivy tests now run every 12 hours (previously 24 hours) for faster vulnerability detection
• Improves alerting: Reduces stale results threshold from 36 to 18 hours to match the new scan frequency (and makes this more linked to the actual periodicity of the job)
• Better test status reporting: Configures TestGrid to show binary pass/fail status instead of "flaky" for Trivy scans

Motivation

Security vulnerability scans should run frequently to detect issues quickly. By doubling the scan frequency and adjusting TestGrid settings appropriately, this ensures the team is notified sooner when vulnerabilities are discovered in cert-manager container images.

Also, the "FLAKY" status wasn't helpful for these tests - we really only care about the latest scan and whether it passed or failed.

See https://github.com/kubernetes/test-infra/blob/737791c6e2ee79bdc8efce2195eb6d20ebb6eb04/testgrid/config.md#prow-job-configuration for details on the testgrid annotations.

Testing

I haven't tested that these testgrid annotations from the linked doc actually work - I think it's easier to merge the PR and check if it did what we expect. I'm confident that this change won't be negative, at least!

[maelvls]

Seems like all good changes. I don't see any risk in merging this.

/lgtm
/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [maelvls]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cert-manager-prow]

@SgtCoDFish: Updated the job-config configmap in namespace default at cluster default using the following files:

• key cert-manager-master.yaml using file config/jobs/cert-manager/cert-manager/master/cert-manager-master.yaml
• key cert-manager-release-1.18.yaml using file config/jobs/cert-manager/cert-manager/release-1.18/cert-manager-release-1.18.yaml
• key cert-manager-release-1.19.yaml using file config/jobs/cert-manager/cert-manager/release-1.19/cert-manager-release-1.19.yaml

Details

In response to this:

Summary

Improves Trivy security scanning frequency and TestGrid reporting for cert-manager container images.

• Increases scan frequency: Trivy tests now run every 12 hours (previously 24 hours) for faster vulnerability detection
• Improves alerting: Reduces stale results threshold from 36 to 18 hours to match the new scan frequency (and makes this more linked to the actual periodicity of the job)
• Better test status reporting: Configures TestGrid to show binary pass/fail status instead of "flaky" for Trivy scans

Motivation

Security vulnerability scans should run frequently to detect issues quickly. By doubling the scan frequency and adjusting TestGrid settings appropriately, this ensures the team is notified sooner when vulnerabilities are discovered in cert-manager container images.

Also, the "FLAKY" status wasn't helpful for these tests - we really only care about the latest scan and whether it passed or failed.

See https://github.com/kubernetes/test-infra/blob/737791c6e2ee79bdc8efce2195eb6d20ebb6eb04/testgrid/config.md#prow-job-configuration for details on the testgrid annotations.

Testing

I haven't tested that these testgrid annotations from the linked doc actually work - I think it's easier to merge the PR and check if it did what we expect. I'm confident that this change won't be negative, at least!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.