From 9cc3ea15fc5ecf315bdf3c4d79726cbed11bb96e Mon Sep 17 00:00:00 2001 From: Vasily Oleynikov Date: Wed, 21 Aug 2024 10:24:48 +0300 Subject: [PATCH] [CI] Add Trivy vulnerables check (#85) Signed-off-by: v.oleynikov --- .github/workflows/trivy_check.yaml | 33 ++++++++++++++++++++++++ images/agent/werf.inc.yaml | 4 +-- images/sds-utils-installer/werf.inc.yaml | 4 +-- 3 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/trivy_check.yaml diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml new file mode 100644 index 00000000..459b6ff4 --- /dev/null +++ b/.github/workflows/trivy_check.yaml @@ -0,0 +1,33 @@ +name: Trivy check for sub repos + +on: + pull_request: + push: + branches: + - main + +jobs: + test: + name: Trivy check for sub repos + runs-on: [self-hosted, regular] + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Prepare sub repo + run: | + version=v`grep "version :=" images/agent/werf.inc.yaml | awk -F'"' '{ print $2}'` + git clone --depth 1 --branch $version ${{ secrets.SOURCE_REPO }}/util-linux/util-linux.git ./util-linux + git clone ${{ secrets.SOURCE_REPO }}/lvmteam/lvm2.git ./lvm2 + version=`grep "version :=" images/sds-utils-installer/werf.inc.yaml | awk -F'"' '{ print $2}'` + cd ./lvm2 + git checkout $version + cd .. + + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: trivy.yaml diff --git a/images/agent/werf.inc.yaml b/images/agent/werf.inc.yaml index 8e51c991..2a2b8cf8 100644 --- a/images/agent/werf.inc.yaml +++ b/images/agent/werf.inc.yaml @@ -4,7 +4,7 @@ {{- $_ := set . "BASE_ALT_DEV" "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }} {{ $binaries := "/opt/deckhouse/sds/lib/libblkid.so.1 /opt/deckhouse/sds/lib/libmount.so.1 /opt/deckhouse/sds/lib/libsmartcols.so.1 /opt/deckhouse/sds/bin/nsenter.static /opt/deckhouse/sds/lib/x86_64-linux-gnu/libudev.so.1 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libcap.so.2 ld-linux-x86-64.so.2 /opt/deckhouse/sds/bin/lsblk.dynamic" }} -{{ $util_linux_version := "2.39.3" }} +{{ $version := "2.39.3" }} --- image: {{ $.ImageName }}-binaries-artifact from: {{ $.BASE_ALT_DEV }} @@ -32,7 +32,7 @@ shell: - cd / - git clone {{ env "SOURCE_REPO" }}/util-linux/util-linux.git - cd /util-linux - - git checkout v{{ $util_linux_version }} + - git checkout v{{ $version }} - ./autogen.sh - ./configure LDFLAGS="-static" --enable-static-programs -disable-all-programs --enable-nsenter - make install-strip diff --git a/images/sds-utils-installer/werf.inc.yaml b/images/sds-utils-installer/werf.inc.yaml index 9a4da987..af466287 100644 --- a/images/sds-utils-installer/werf.inc.yaml +++ b/images/sds-utils-installer/werf.inc.yaml @@ -4,7 +4,7 @@ {{- $_ := set . "BASE_ALT_DEV" "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }} {{ $binaries := "/sds-utils/bin/lvm.static" }} -{{ $lvm_version := "d786a8f820d54ce87a919e6af5426c333c173b11" }} +{{ $version := "d786a8f820d54ce87a919e6af5426c333c173b11" }} --- image: {{ $.ImageName }}-binaries-artifact from: {{ $.BASE_ALT_DEV }} @@ -28,7 +28,7 @@ shell: - cd / - git clone {{ env "SOURCE_REPO" }}/lvmteam/lvm2.git - cd /lvm2 - - git checkout {{ $lvm_version }} + - git checkout {{ $version }} - ./configure --enable-static_link --disable-silent-rules --disable-readline --enable-blkid_wiping --build=x86_64-linux-gnu - make - mkdir -p /sds-utils/bin/