[CI] Add Trivy vulnerables check (#85)

Signed-off-by: v.oleynikov <[email protected]> Signed-off-by: Viktor Kramarenko <[email protected]>
deckhouse · Sep 17, 2024 · 54b5823 · 54b5823
1 parent 90b91df
commit 54b5823
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 4 deletions.
diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml
@@ -0,0 +1,33 @@
+name: Trivy check for sub repos
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: Trivy check for sub repos
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Prepare sub repo
+        run: |
+          version=v`grep "version :=" images/agent/werf.inc.yaml | awk -F'"' '{ print $2}'`
+          git clone --depth 1 --branch $version ${{ secrets.SOURCE_REPO }}/util-linux/util-linux.git ./util-linux
+          git clone ${{ secrets.SOURCE_REPO }}/lvmteam/lvm2.git ./lvm2
+          version=`grep "version :=" images/sds-utils-installer/werf.inc.yaml | awk -F'"' '{ print $2}'`
+          cd ./lvm2
+          git checkout $version 
+          cd ..
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
diff --git a/images/agent/werf.inc.yaml b/images/agent/werf.inc.yaml
@@ -4,7 +4,7 @@
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 
 {{ $binaries := "/opt/deckhouse/sds/lib/libblkid.so.1 /opt/deckhouse/sds/lib/libmount.so.1 /opt/deckhouse/sds/lib/libsmartcols.so.1 /opt/deckhouse/sds/bin/nsenter.static /opt/deckhouse/sds/lib/x86_64-linux-gnu/libudev.so.1 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libcap.so.2 ld-linux-x86-64.so.2 /opt/deckhouse/sds/bin/lsblk.dynamic" }}
-{{ $util_linux_version := "2.39.3" }}
+{{ $version := "2.39.3" }}
 ---
 image: {{ $.ImageName }}-binaries-artifact
 from: {{ $.BASE_ALT_DEV }}
@@ -32,7 +32,7 @@ shell:
   - cd /
   - git clone {{ env "SOURCE_REPO" }}/util-linux/util-linux.git
   - cd /util-linux
-  - git checkout v{{ $util_linux_version }}
+  - git checkout v{{ $version }}
   - ./autogen.sh
   - ./configure LDFLAGS="-static" --enable-static-programs -disable-all-programs --enable-nsenter
   - make install-strip

diff --git a/images/sds-utils-installer/werf.inc.yaml b/images/sds-utils-installer/werf.inc.yaml
@@ -4,7 +4,7 @@
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 
 {{ $binaries := "/sds-utils/bin/lvm.static" }}
-{{ $lvm_version := "d786a8f820d54ce87a919e6af5426c333c173b11" }}
+{{ $version := "d786a8f820d54ce87a919e6af5426c333c173b11" }}
 ---
 image: {{ $.ImageName }}-binaries-artifact
 from: {{ $.BASE_ALT_DEV }}
@@ -28,7 +28,7 @@ shell:
   - cd /
   - git clone {{ env "SOURCE_REPO" }}/lvmteam/lvm2.git
   - cd /lvm2
-  - git checkout {{ $lvm_version }}
+  - git checkout {{ $version }}
   - ./configure --enable-static_link --disable-silent-rules --disable-readline --enable-blkid_wiping --build=x86_64-linux-gnu
   - make
   - mkdir -p /sds-utils/bin/