From a6e95be0c595aaca5ae5dbfbd898451a457683c0 Mon Sep 17 00:00:00 2001 From: chengcheng Date: Fri, 17 Jul 2026 15:38:59 +0800 Subject: [PATCH] fix(ci): use reachable vulnerability database mirror --- .gitea/workflows/ci.yml | 2 ++ .gitea/workflows/release-ci.yml | 2 ++ scripts/ci-build-images.sh | 4 +++- tests/ci/ci-build-images-test.sh | 2 ++ tests/ci/pipeline-test.sh | 6 ++++++ 5 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index c6db54b..7d863f5 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -9,6 +9,8 @@ on: jobs: verify: runs-on: easyai-gateway-ci-unprivileged-v2 + env: + TRIVY_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-db:2 steps: - name: Checkout without external Actions env: diff --git a/.gitea/workflows/release-ci.yml b/.gitea/workflows/release-ci.yml index 6eb7b5c..807049e 100644 --- a/.gitea/workflows/release-ci.yml +++ b/.gitea/workflows/release-ci.yml @@ -7,6 +7,8 @@ on: jobs: verify-tag: runs-on: easyai-gateway-ci-unprivileged-v2 + env: + TRIVY_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-db:2 steps: - name: Checkout without external Actions env: diff --git a/scripts/ci-build-images.sh b/scripts/ci-build-images.sh index 48ce1f0..7061ca9 100755 --- a/scripts/ci-build-images.sh +++ b/scripts/ci-build-images.sh @@ -11,6 +11,7 @@ cache_limit=${AI_GATEWAY_BUILDX_CACHE_LIMIT:-2gb} platform=${AI_GATEWAY_PLATFORM:-linux/amd64} keep_images=0 build_complete=0 +readonly trivy_db_repository=ghcr.m.daocloud.io/aquasecurity/trivy-db:2 case ${1:-} in '') ;; @@ -91,7 +92,8 @@ docker buildx build --builder "$builder" \ --tag "$web_image" . for image in "$api_image" "$web_image"; do - trivy image --scanners vuln,secret --severity HIGH,CRITICAL --ignore-unfixed \ + trivy image --db-repository "$trivy_db_repository" \ + --scanners vuln,secret --severity HIGH,CRITICAL --ignore-unfixed \ --exit-code 1 --timeout 15m "$image" done diff --git a/tests/ci/ci-build-images-test.sh b/tests/ci/ci-build-images-test.sh index ed1d781..bb12662 100755 --- a/tests/ci/ci-build-images-test.sh +++ b/tests/ci/ci-build-images-test.sh @@ -58,6 +58,8 @@ run_build() { run_build grep -Fq "docker buildx prune --builder gateway-test --force --max-used-space 2gb" "$tmp/calls.log" grep -Fq "docker image rm $api_image $web_image" "$tmp/calls.log" +grep -Fq 'trivy image --db-repository ghcr.m.daocloud.io/aquasecurity/trivy-db:2' \ + "$tmp/calls.log" : >"$tmp/calls.log" run_build --keep-images diff --git a/tests/ci/pipeline-test.sh b/tests/ci/pipeline-test.sh index d829728..f2738bd 100755 --- a/tests/ci/pipeline-test.sh +++ b/tests/ci/pipeline-test.sh @@ -97,6 +97,12 @@ for quality_workflow in "$workflow" "$release_workflow"; do exit 1 } done + grep -Fq 'TRIVY_DB_REPOSITORY: ghcr.m.daocloud.io/aquasecurity/trivy-db:2' \ + "$quality_workflow" || { + printf '%s does not pin the reachable Trivy vulnerability DB mirror\n' \ + "$quality_workflow" >&2 + exit 1 + } done if [[ $(sed -n '/^ - name: Verify Go formatting$/,$p' "$workflow") != \