Skip to content

force run trivy stage #745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pfrcks merged 9 commits into from
Apr 27, 2022
Merged

force run trivy stage #745

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
58be2da
force run trivy stage
Apr 21, 2022
af3c8f8
add trivyignore and second trivy check
Apr 25, 2022
02832c0
revert extra change
Apr 25, 2022
cf5fdfe
fix vulnerability in out_oms
Apr 26, 2022
599eaec
revert go package changes
Apr 26, 2022
7086bd6
change trivyignore location
Apr 26, 2022
41e93ab
add telegraf vulns
Apr 26, 2022
3263821
use trivyignore
Apr 27, 2022
7d0afe5
add ruby vulns to trivyignore
Apr 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .github/workflows/pr-checker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,6 @@ jobs:
format: 'table'
severity: 'CRITICAL,HIGH'
vuln-type: 'os,library'
#[vishwa] - Fix telegraf & test all for next release - see work item #https://msazure.visualstudio.com/InfrastructureInsights/_workitems/edit/13322134
skip-files: '/usr/sbin/telegraf,/opt/telegraf'
exit-code: '1'
timeout: '5m0s'
ignore-unfixed: true
Expand Down
17 changes: 17 additions & 0 deletions .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# related to telegraf
#[vishwa] - Fix telegraf & test all for next release - see work item #https://msazure.visualstudio.com/InfrastructureInsights/_workitems/edit/13322134
CVE-2021-43816
CVE-2022-23648
CVE-2022-24450
CVE-2022-26652
CVE-2019-3826
CVE-2022-27191
CVE-2021-42836

# ruby in /usr/lib
CVE-2020-36327
CVE-2021-43809
CVE-2021-41816
CVE-2021-41819
CVE-2021-31799
CVE-2021-28965
11 changes: 10 additions & 1 deletion kubernetes/linux/Dockerfile.multiarch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,17 @@ RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH}
# Do vulnerability scan in a seperate stage to avoid adding layer
FROM base_image AS vulnscan
COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL --skip-files "/usr/sbin/telegraf" --skip-files "/opt/telegraf" --skip-files "/usr/local/bin/trivy" /
COPY .trivyignore .trivyignore
RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" /
RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib
RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / > /dev/null 2>&1 && trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib > /dev/null 2>&1

# Revert to base layer before vulnscan
FROM base_image AS ContainerInsights
# force the trivy stage to run
# docker buildx (BUILDKIT) does not build stages which do not affect the final stage
# by copying over a file we create a dependency
# see: https://github.com/docker/build-push-action/issues/377
COPY --from=vulnscan /usr/local/bin/trivy /usr/local/bin/trivy
RUN rm /usr/local/bin/trivy
CMD [ "/opt/main.sh" ]