chore(trivy): Update trivy for aaw#1988 #316
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will build a docker container, publish it to Azure Container Registry, and deploy it to Azure Kubernetes Service using a helm chart. | |
| # | |
| # https://github.com/Azure/actions-workflow-samples/tree/master/Kubernetes | |
| # | |
| # To configure this workflow: | |
| # | |
| # 1. Set up the following secrets in your workspace: | |
| # a. REGISTRY_USERNAME with ACR username | |
| # b. REGISTRY_PASSWORD with ACR Password | |
| # c. AZURE_CREDENTIALS with the output of `az ad sp create-for-rbac --sdk-auth` | |
| # | |
| # 2. Change the values for the REGISTRY_NAME, CLUSTER_NAME, CLUSTER_RESOURCE_GROUP and NAMESPACE environment variables (below). | |
| name: build | |
| on: [pull_request] | |
| # Environment variables available to all jobs and steps in this workflow | |
| jobs: | |
| listimages: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@master | |
| - id: set-matrix | |
| run: echo "::set-output name=matrix::{\"image\":[$(ls -d */ | sed 's~\(.*\)/$~\"\1\"~g' | paste -sd ',')]}" | |
| build: | |
| env: | |
| TRIVY_VERSION: "v0.57.0" | |
| TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"' | |
| TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"' | |
| TRIVY_MAX_RETRIES: 5 | |
| TRIVY_RETRY_DELAY: 20 | |
| HADOLINT_VERSION: "2.12.0" | |
| TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db" | |
| TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db" | |
| TRIVY_DISABLE_VEX_NOTICE: true | |
| needs: listimages | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{fromJson(needs.listimages.outputs.matrix)}} | |
| runs-on: ubuntu-latest | |
| services: | |
| registry: | |
| image: registry:2 | |
| ports: | |
| - 5000:5000 | |
| steps: | |
| - uses: actions/checkout@master | |
| # Container build and push to a Azure Container registry (ACR) | |
| - run: | | |
| docker build -f ${{ matrix.image }}/Dockerfile -t localhost:5000/${{ matrix.image }}:${{ github.sha }} ${{ matrix.image }} | |
| docker push localhost:5000/${{ matrix.image }}:${{ github.sha }} | |
| docker image prune | |
| # Scan image for vulnerabilities | |
| - name: Aqua Security Trivy image scan | |
| run: | | |
| printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore | |
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} | |
| set +e # Lets trivy return an error without it being fatal | |
| for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do | |
| echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..." | |
| trivy image \ | |
| --db-repository ${{ env.TRIVY_DATABASES }} \ | |
| --java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \ | |
| localhost:5000/${{ matrix.image }}:${{ github.sha }} \ | |
| --exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \ | |
| --skip-dirs /usr/local/SASHome | |
| EXIT_CODE=$? | |
| if [[ $EXIT_CODE -eq 0 ]]; then | |
| echo "Trivy scan completed successfully." | |
| exit 0 | |
| elif [[ $EXIT_CODE -eq 10 ]]; then | |
| echo "Trivy scan completed successfully. Some vulnerabilities were found." | |
| exit 0 | |
| elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then | |
| echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..." | |
| sleep ${{ env.TRIVY_RETRY_DELAY }} | |
| else | |
| echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting." | |
| exit 1 | |
| fi | |
| done | |
| # Run Hadolint | |
| - name: Run Hadolint | |
| run: | | |
| sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint | |
| sudo chmod +x hadolint | |
| ./hadolint ${{ matrix.image }}/Dockerfile --no-fail |