Merge branch 'main' into ss/feat/introduce-readyz-probe

h2oai · Nov 22, 2024 · 6638a6e · 6638a6e
2 parents d6eae2a + 5bfb8b1
commit 6638a6e
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 42 deletions.
diff --git a/.github/workflows/component-scan.yml b/.github/workflows/component-scan.yml
@@ -27,40 +27,44 @@ jobs:
         uses: aquasecurity/[email protected]
         with:
           image-ref: image:latest
-          format: 'json'
           vuln-type: 'os,library'
-          output: 'trivy-results.json'
         env:
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
           TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+          TRIVY_FORMAT: json
+          TRIVY_OUTPUT: 'trivy-results.json'
 
       - name: Save vulnerabilities report in tabular format
         if: always()
         uses: aquasecurity/[email protected]
         with:
-          image-ref: trivy-results.json
+          scan-ref: trivy-results.json
           scan-type: convert
-          vuln-type: ''
-          format: 'table'
-          output: 'trivy-results.txt'
+        env:
+          TRIVY_FORMAT: table
+          TRIVY_OUTPUT: 'trivy-results.txt'
 
       - name: Display vulnerabilities report
         if: always()
         uses: aquasecurity/[email protected]
         with:
-          image-ref: trivy-results.json
+          scan-ref: trivy-results.json
           scan-type: convert
-          vuln-type: ''
+        env:
+          TRIVY_FORMAT: table
+          TRIVY_OUTPUT: ''
 
       - name: Fail on high and critical vulnerabilities
         if: always()
         uses: aquasecurity/[email protected]
         with:
-          image-ref: trivy-results.json
+          scan-ref: trivy-results.json
           scan-type: convert
           exit-code: '1'
-          vuln-type: ''
           severity: 'HIGH,CRITICAL'
+        env:
+          TRIVY_FORMAT: table
+          TRIVY_OUTPUT: ''
 
       - name: Publish scan report
         if: always()
@@ -212,35 +216,23 @@ jobs:
 
       - name: Send Notification to Slack
         if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/') }}
-        uses: slackapi/slack-github-action@v1.27.0
+        uses: slackapi/slack-github-action@v2.0.0
         with:
-          channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          method: chat.postMessage
+          token: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }}
           payload: |
-            {
-              "text": "Trivy Vulnerability Report",
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
-                  }
-                },
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*"
-                  }
-                },
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "${{ env.CODE_OWNERS }}, please review the following reports: <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}|_Trivy_>, <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }}|_Prisma_>"
-                  }
-                }
-              ]
-            }
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }}
+            channel: ${{ secrets.SLACK_CHANNEL_ID }}
+            text: "Trivy Vulnerability Report"
+            blocks:
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*"
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: "${{ env.CODE_OWNERS }}, please review the following reports: <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}|_Trivy_>, <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }}|_Prisma_>"
diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile
@@ -1,12 +1,12 @@
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3221f96f52fca0020fa6f404b0370d132403be6b3736d8dd92275ccd72129c1f AS builder
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b3dd9cf08283b959c6a0a3c833e68b2882a50129930215060154b43ae6a3e81c AS builder
 RUN apk add openjdk-17 bash coreutils
 ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
 ENV PATH="$JAVA_HOME/bin:$PATH"
 WORKDIR /app
 COPY build/libs/local-rest-scorer-boot.jar application.jar
 RUN java -Djarmode=layertools -jar application.jar extract
 
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3221f96f52fca0020fa6f404b0370d132403be6b3736d8dd92275ccd72129c1f
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b3dd9cf08283b959c6a0a3c833e68b2882a50129930215060154b43ae6a3e81c
 RUN apk add openjdk-17-jre bash coreutils
 ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
 ENV PATH="$JAVA_HOME/bin:$PATH"