Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Circleci: Update nightly trivy scan #930

Merged
merged 15 commits into from
Oct 18, 2023
Merged

Circleci: Update nightly trivy scan #930

merged 15 commits into from
Oct 18, 2023

Conversation

usmansaleem
Copy link
Contributor

@usmansaleem usmansaleem commented Oct 17, 2023
edited
Loading

PR Description

Update CircleCI dockerScan (trivy) nightly task. Use circleci base image for more up-to-date tools. Scan both amd64 and arm64 variants of web3signer develop tag.

Fixed Issue(s)

Documentation

  • I thought about documentation and added the doc-change-required label to this PR if updates are required.

Changelog

  • I thought about adding a changelog entry, and added one if I deemed necessary.

Testing

  • I thought about testing these changes in a realistic/non-local environment.

@usmansaleem usmansaleem requested a review from jframe October 18, 2023 02:20
@usmansaleem usmansaleem changed the title circleci trivy scan Circleci: Update nightly trivy scan Oct 18, 2023
siladu
siladu reviewed Oct 18, 2023
View reviewed changes
.circleci/config.yml
- run:
name: Scan with trivy
shell: /bin/sh
command: |
rm -rf docker/test*
for FILE in $(ls docker)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What were the previous values of $FILE?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we used to have docker/jdk17/Dockerfile and docker/jdk11/Dockerfile. Hence we used to create/publish consensys/web3signer:develop-java11 and consensys/web3signer:develop-java17. Since we now default to java17 variant, the develop tag now points to develop-java17. In addition, we further publish platform specific variants as well i.e. develop-amd64 and develop-arm64. Similarly, develop-java17-amd64 and develop-java17-arm64

In summary, we only need to test/scan develop tag unless we introduce java21 tag along with java17 tag. We were also only scanning develop-amd64 variant in past as CircleCI trivy job runs on Linux amd64 environment. Now we make sure to scan both amd64 and arm64 variants (as both of them are built separately).

@usmansaleem usmansaleem merged commit 2d4f5c6 into Consensys:master Oct 18, 2023
2 checks passed
@usmansaleem usmansaleem deleted the trivy_scan branch October 18, 2023 04:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@siladu siladu siladu approved these changes

@jframe jframe jframe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@usmansaleem @jframe @siladu