Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/trivyignore #211

Merged
merged 17 commits into from
Nov 27, 2023
Merged

Feat/trivyignore #211

Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
3cf4717
feat(trivy): Add autoremove ignored CVEs
merkata Oct 30, 2023
131a616
fix(update-lib): Perms for nested job
merkata Oct 30, 2023
c67b8a2
fix(job): Change hyphen
merkata Oct 31, 2023
ff643d3
feat(cves): Autoremove CVEs from rocks
merkata Oct 31, 2023
0e1db6e
fix(cves): Fix typo
merkata Oct 31, 2023
af1cea5
fix(cves): Use env var
merkata Nov 1, 2023
07e1f76
chore(version): Bump trivy
merkata Nov 1, 2023
c254f2d
fix(cves): Omit comments
merkata Nov 1, 2023
0160566
fix(cves): Use other pr action
merkata Nov 1, 2023
fc35707
fix(cves): Use canonical action with base
merkata Nov 1, 2023
ae018bc
fix(cves): Get all the refs
merkata Nov 1, 2023
9e54312
feat(cves): Use suggestion instead of PR
merkata Nov 2, 2023
b5a7284
feat(cves): Bump node to v18
merkata Nov 2, 2023
1e7d829
feat(cves): Use annotations
merkata Nov 2, 2023
4b6dc49
fix(cves): Feed in trivyignore
merkata Nov 2, 2023
3bb7f41
fix(trivy): Remove job
merkata Nov 15, 2023
37a3523
Merge branch 'main' into feat/trivyignore
merkata Nov 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/build_rocks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,8 @@ jobs:
path: ${{ fromJSON(needs.get-rocks.outputs.rock-paths) }}
steps:
- uses: actions/[email protected]
with:
fetch-depth: 0
- name: Extract rock information
run: |
IMAGE_NAME=$(yq '.name' "${{ matrix.path }}/rockcraft.yaml")
Expand Down Expand Up @@ -224,3 +226,23 @@ jobs:
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Check trivyignore
jdkandersson marked this conversation as resolved.
Show resolved Hide resolved
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.46.0
if [ -f ".trivyignore" ]
then
output=$(trivy image $ROCK_IMAGE --severity HIGH,CRITICAL -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found")
merkata marked this conversation as resolved.
Show resolved Hide resolved
line=0
while read CVE;
do
line=$(( line + 1 ))
if [[ "$output" != *"$CVE"* ]] && [[ ! "$CVE" =~ ^#.* ]]
then
echo "::notice file=.trivyignore,line=${line}::$CVE not present anymore, can be safely removed."
fi
done < .trivyignore
fi
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
ROCK_IMAGE: ${{ env.IMAGE_REF }}
Loading