Skip to content

Commit

Permalink
Update trivy (#132)
Browse files Browse the repository at this point in the history 
* update trivy in publish

* update trivy in build
  • Loading branch information
@EveningStarlight
EveningStarlight authored Nov 27, 2024
1 parent 6866a4a commit 7a77e6a
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 3 deletions.
35 changes: 33 additions & 2 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ jobs:
build:
env:
TRIVY_VERSION: "v0.57.0"
TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
TRIVY_MAX_RETRIES: 5
TRIVY_RETRY_DELAY: 20
HADOLINT_VERSION: "2.12.0"
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db"
TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db"
Expand All @@ -49,12 +53,39 @@ jobs:
docker push localhost:5000/${{ matrix.image }}:${{ github.sha }}
docker image prune
# Scan image for vulnerabilities
# Scan image for vulnerabilities
- name: Aqua Security Trivy image scan
run: |
printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --scanners vuln --severity CRITICAL
set +e # Lets trivy return an error without it being fatal
for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do
echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..."
trivy image \
--db-repository ${{ env.TRIVY_DATABASES }} \
--java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \
localhost:5000/${{ matrix.image }}:${{ github.sha }} \
--exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \
--skip-dirs /usr/local/SASHome
EXIT_CODE=$?
if [[ $EXIT_CODE -eq 0 ]]; then
echo "Trivy scan completed successfully."
exit 0
elif [[ $EXIT_CODE -eq 10 ]]; then
echo "Trivy scan completed successfully. Some vulnerabilities were found."
exit 0
elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then
echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..."
sleep ${{ env.TRIVY_RETRY_DELAY }}
else
echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting."
exit 1
fi
done
# Run Hadolint
- name: Run Hadolint
Expand Down
33 changes: 32 additions & 1 deletion .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ jobs:
build:
env:
TRIVY_VERSION: "v0.57.0"
TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
TRIVY_MAX_RETRIES: 5
TRIVY_RETRY_DELAY: 20
HADOLINT_VERSION: "2.12.0"
OPENMPP_VERSION: "1.17.5"
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db"
Expand Down Expand Up @@ -69,7 +73,34 @@ jobs:
run: |
printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --scanners vuln --severity CRITICAL
set +e # Lets trivy return an error without it being fatal
for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do
echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..."
trivy image \
--db-repository ${{ env.TRIVY_DATABASES }} \
--java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \
localhost:5000/${{ matrix.image }}:${{ github.sha }} \
--exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \
--skip-dirs /usr/local/SASHome
EXIT_CODE=$?
if [[ $EXIT_CODE -eq 0 ]]; then
echo "Trivy scan completed successfully."
exit 0
elif [[ $EXIT_CODE -eq 10 ]]; then
echo "Trivy scan completed successfully. Some vulnerabilities were found."
exit 0
elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then
echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..."
sleep ${{ env.TRIVY_RETRY_DELAY }}
else
echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting."
exit 1
fi
done
# Run Hadolint
- name: Run Hadolint
Expand Down

0 comments on commit 7a77e6a

Please sign in to comment.