From 006ca614eca71cb2c8a84284d3e1bd2b19bd597f Mon Sep 17 00:00:00 2001 From: Ruchi Maheshwari Date: Fri, 31 Jan 2025 12:07:30 -0800 Subject: [PATCH] Adding a max limit of 100 images allowed for continuous patching --- .../templates/task/cssc_trigger_workflow.yaml | 10 +++++++++- .../templates/tmp_dry_run_template.yaml | 13 ++++++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/acrcssc/azext_acrcssc/templates/task/cssc_trigger_workflow.yaml b/src/acrcssc/azext_acrcssc/templates/task/cssc_trigger_workflow.yaml index 75b92708b93..543a5a2056b 100644 --- a/src/acrcssc/azext_acrcssc/templates/task/cssc_trigger_workflow.yaml +++ b/src/acrcssc/azext_acrcssc/templates/task/cssc_trigger_workflow.yaml @@ -3,13 +3,21 @@ alias: values: ScanImageAndSchedulePatchTask: cssc-scan-image cssc : mcr.microsoft.com/acr/cssc:0995fb8 + maxLimit: 100 steps: - cmd: bash -c 'echo "Inside cssc-trigger-workflow task, getting list of images to be patched based on --filter-policy for Registry {{.Run.Registry}}."' - cmd: cssc acr cssc patch --filter-policy csscpolicies/patchpolicy:v1 --dry-run > filterRepos.txt env: - ACR_EXPERIMENTAL_CSSC=true - cmd: bash -c 'sed -n "/^Validating/,/^Total/ {/^Validating/b;/^Total/b;p}" filterRepos.txt' > filterReposToDisplay.txt - - cmd: bash -c 'echo -e "Below images will be scanned and patched (if any os vulnerabilities found) based on --filter-policy.\n$(cat filterReposToDisplay.txt)"' + - cmd: | + bash -c ' + echo "Below images will be scanned and patched (if any os vulnerabilities found) based on --filter-policy.\n$(cat filterReposToDisplay.txt)" + totalImages=$(sed -n "s/^Matches found://p" filterReposToDisplay.txt | tr -d "[:space:]") + if [ $totalImages -gt $maxLimit ]; then + echo "Maximum $maxLimit images can be scheduled for continuous patching. Adjust the filter to limit the number of images to be patched. Exiting the workflow.." + exit 1 + fi' - cmd: cssc acr cssc patch --filter-policy csscpolicies/patchpolicy:v1 --show-patch-tags --dry-run> filterReposWithPatchTags.txt env: - ACR_EXPERIMENTAL_CSSC=true diff --git a/src/acrcssc/azext_acrcssc/templates/tmp_dry_run_template.yaml b/src/acrcssc/azext_acrcssc/templates/tmp_dry_run_template.yaml index 75c067afa85..d0f6fdae48a 100644 --- a/src/acrcssc/azext_acrcssc/templates/tmp_dry_run_template.yaml +++ b/src/acrcssc/azext_acrcssc/templates/tmp_dry_run_template.yaml @@ -1,10 +1,17 @@ version: v1.1.0 alias: values: - cssc : mcr.microsoft.com/acr/cssc:56f0765 + cssc : mcr.microsoft.com/acr/cssc:0995fb8 + maxLimit: 100 steps: - id: acr-cli-filter - cmd: | - cssc acr cssc patch --dry-run --filter-policy-file {{.Values.CONFIGPATH}} + cmd: cssc acr cssc patch --dry-run --filter-policy-file {{.Values.CONFIGPATH}}> filterRepos.txt; env: - ACR_EXPERIMENTAL_CSSC=true + - cmd: | + bash -c ' + echo "$(cat filterRepos.txt)" + totalImages=$(sed -n "s/^Matches found://p" filterRepos.txt | tr -d "[:space:]") + if [ $totalImages -gt $maxLimit ]; then + echo "Maximum $maxLimit images can be scheduled for continuous patching. Adjust the filter to limit the number of images to be patched." + fi' \ No newline at end of file