[chore] Make all images distroless #294
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Trivy images check | |
env: | |
MODULES_MODULE_NAME: ${{ vars.RENAMED_MODULE_NAME }} | |
MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }} | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }} | |
MODULES_REGISTRY_LOGIN: ${{ vars.RENAMED_DEV_MODULES_REGISTRY_LOGIN }} | |
MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} | |
on: | |
pull_request: | |
jobs: | |
test: | |
name: Trivy images check | |
runs-on: [self-hosted, regular] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: deckhouse/modules-actions/setup@v1 | |
- name: Check and Install Latest Trivy | |
run: | | |
mkdir -p $HOME/bin | |
LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name") | |
CLEAN_VERSION=${LATEST_VERSION#v} | |
INSTALL_TRIVY=true | |
if [[ -f "$HOME/bin/trivy" ]]; then | |
INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') | |
if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then | |
echo "Trivy is already up-to-date (version $INSTALLED_VERSION)." | |
INSTALL_TRIVY=false | |
else | |
echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION." | |
fi | |
else | |
echo "Trivy is not installed. Installing version $CLEAN_VERSION." | |
fi | |
if [ "$INSTALL_TRIVY" = true ]; then | |
wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz | |
tar zxvf trivy.tar.gz -C $HOME/bin | |
fi | |
echo "$HOME/bin" >> $GITHUB_PATH | |
- name: Run Trivy vulnerability scanner in image mode | |
run: | | |
exit_code=0 | |
image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME | |
image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER | |
crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]') | |
while read -r item; do | |
key=$(echo "$item" | jq -r '.key') | |
value=$(echo "$item" | jq -r '.value') | |
echo 'Checking image '$key' '$value | |
trivy image --quiet --config trivy-silent.yaml --format table $image_name@$value | |
result=$(trivy image --quiet --config trivy-silent.yaml --format json $image_name@$value) | |
vulnerabilities=$(echo "$result" | jq '[.Results[]? | select(has("Vulnerabilities")) | .Vulnerabilities | length] | add // 0') | |
if [ "$vulnerabilities" -gt 0 ]; then | |
echo "There are vulnerabilities in image" | |
exit_code=1 | |
else | |
echo "There are no vulnerabilities in image" | |
fi | |
done <<< "$crane_output" | |
exit $exit_code |