-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
don't trivy scan nightly builds (#467)
- Loading branch information
Showing
1 changed file
with
0 additions
and
61 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -108,68 +108,7 @@ jobs: | |
| echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT" | ||
| echo "image-id=$IMAGE_ID" >> "$GITHUB_OUTPUT" | ||
| - name: Download image | ||
| run: | | ||
| . venv/bin/activate | ||
| sudo mkdir /mnt/images | ||
| sudo chmod 777 /mnt/images | ||
| openstack image unset --property signature_verified "${{ steps.manifest.outputs.image-id }}" | ||
| openstack image save --file /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 ${{ steps.manifest.outputs.image-id }} | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: install libguestfs | ||
| run: | | ||
| sudo apt -y update | ||
| sudo apt -y install libguestfs-tools | ||
| - name: mkdir for mount | ||
| run: sudo mkdir -p './${{ steps.manifest.outputs.image-name }}' | ||
|
|
||
| - name: mount qcow2 file | ||
| run: sudo guestmount -a /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}' | ||
|
|
||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: fs | ||
| scan-ref: "${{ steps.manifest.outputs.image-name }}" | ||
| scanners: "vuln" | ||
| format: sarif | ||
| output: "${{ steps.manifest.outputs.image-name }}.sarif" | ||
| # turn off secret scanning to speed things up | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif" | ||
| category: "${{ matrix.os_version }}-${{ matrix.build }}" | ||
|
|
||
| - name: Fail if scan has CRITICAL vulnerabilities | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: fs | ||
| scan-ref: "${{ steps.manifest.outputs.image-name }}" | ||
| scanners: "vuln" | ||
| format: table | ||
| exit-code: '1' | ||
| severity: 'CRITICAL' | ||
| ignore-unfixed: true | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Delete new image if Trivy scan fails | ||
| if: failure() && steps.packer_build.outcome == 'success' # Runs if the Trivy scan found crit vulnerabilities or failed | ||
| run: | | ||
| . venv/bin/activate | ||
| echo "Deleting new image due to critical vulnerabilities or scan failure ..." | ||
| openstack image delete "${{ steps.manifest.outputs.image-id }}" | ||
| - name: Delete old latest image | ||
| if: success() # Runs only if Trivy scan passed | ||
| run: | | ||
| . venv/bin/activate | ||
| IMAGE_COUNT=$(openstack image list --name ${{ steps.manifest.outputs.image-name }} -f value -c ID | wc -l) | ||
|
|
||