fix(ci): use reachable vulnerability database mirror
All checks were successful
ci / verify (pull_request) Successful in 11m20s
All checks were successful
ci / verify (pull_request) Successful in 11m20s
This commit is contained in:
parent
c67726ca6b
commit
a6e95be0c5
@ -9,6 +9,8 @@ on:
|
||||
jobs:
|
||||
verify:
|
||||
runs-on: easyai-gateway-ci-unprivileged-v2
|
||||
env:
|
||||
TRIVY_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-db:2
|
||||
steps:
|
||||
- name: Checkout without external Actions
|
||||
env:
|
||||
|
||||
@ -7,6 +7,8 @@ on:
|
||||
jobs:
|
||||
verify-tag:
|
||||
runs-on: easyai-gateway-ci-unprivileged-v2
|
||||
env:
|
||||
TRIVY_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-db:2
|
||||
steps:
|
||||
- name: Checkout without external Actions
|
||||
env:
|
||||
|
||||
@ -11,6 +11,7 @@ cache_limit=${AI_GATEWAY_BUILDX_CACHE_LIMIT:-2gb}
|
||||
platform=${AI_GATEWAY_PLATFORM:-linux/amd64}
|
||||
keep_images=0
|
||||
build_complete=0
|
||||
readonly trivy_db_repository=ghcr.m.daocloud.io/aquasecurity/trivy-db:2
|
||||
|
||||
case ${1:-} in
|
||||
'') ;;
|
||||
@ -91,7 +92,8 @@ docker buildx build --builder "$builder" \
|
||||
--tag "$web_image" .
|
||||
|
||||
for image in "$api_image" "$web_image"; do
|
||||
trivy image --scanners vuln,secret --severity HIGH,CRITICAL --ignore-unfixed \
|
||||
trivy image --db-repository "$trivy_db_repository" \
|
||||
--scanners vuln,secret --severity HIGH,CRITICAL --ignore-unfixed \
|
||||
--exit-code 1 --timeout 15m "$image"
|
||||
done
|
||||
|
||||
|
||||
@ -58,6 +58,8 @@ run_build() {
|
||||
run_build
|
||||
grep -Fq "docker buildx prune --builder gateway-test --force --max-used-space 2gb" "$tmp/calls.log"
|
||||
grep -Fq "docker image rm $api_image $web_image" "$tmp/calls.log"
|
||||
grep -Fq 'trivy image --db-repository ghcr.m.daocloud.io/aquasecurity/trivy-db:2' \
|
||||
"$tmp/calls.log"
|
||||
|
||||
: >"$tmp/calls.log"
|
||||
run_build --keep-images
|
||||
|
||||
@ -97,6 +97,12 @@ for quality_workflow in "$workflow" "$release_workflow"; do
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
grep -Fq 'TRIVY_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-db:2' \
|
||||
"$quality_workflow" || {
|
||||
printf '%s does not pin the reachable Trivy vulnerability DB mirror\n' \
|
||||
"$quality_workflow" >&2
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
|
||||
if [[ $(sed -n '/^ - name: Verify Go formatting$/,$p' "$workflow") != \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user