[CI] Add Trivy vulnerables check

Signed-off-by: v.oleynikov <[email protected]>
deckhouse · Aug 19, 2024 · b756ab5 · b756ab5
1 parent 969dc81
commit b756ab5
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml
@@ -0,0 +1,31 @@
+name: Trivy check for sub repos
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: Trivy check for sub repos
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Prepare sub repo
+        run: |
+          git clone --depth 1 --branch v2.39.3 ${{ secrets.SOURCE_REPO }}/util-linux/util-linux.git ./util-linux
+          git clone ${{ secrets.SOURCE_REPO }}/lvmteam/lvm2.git ./lvm2
+          cd ./lvm2
+          git checkout d786a8f820d54ce87a919e6af5426c333c173b11 
+          cd ..
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
diff --git a/images/agent/werf.inc.yaml b/images/agent/werf.inc.yaml
@@ -4,6 +4,7 @@
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 
 {{ $binaries := "/opt/deckhouse/sds/lib/libblkid.so.1 /opt/deckhouse/sds/lib/libmount.so.1 /opt/deckhouse/sds/lib/libsmartcols.so.1 /opt/deckhouse/sds/bin/nsenter.static /opt/deckhouse/sds/lib/x86_64-linux-gnu/libudev.so.1 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libcap.so.2 ld-linux-x86-64.so.2 /opt/deckhouse/sds/bin/lsblk.dynamic" }}
+# While changing tag, you MUST change it in .github/workflows/trivy_check.yaml
 {{ $util_linux_version := "2.39.3" }}
 ---
 image: {{ $.ImageName }}-binaries-artifact

diff --git a/images/sds-utils-installer/werf.inc.yaml b/images/sds-utils-installer/werf.inc.yaml
@@ -4,6 +4,7 @@
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 
 {{ $binaries := "/sds-utils/bin/lvm.static" }}
+# While changing tag, you MUST change it in .github/workflows/trivy_check.yaml
 {{ $lvm_version := "d786a8f820d54ce87a919e6af5426c333c173b11" }}
 ---
 image: {{ $.ImageName }}-binaries-artifact