diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e8af90f..ec436a1 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,7 +20,11 @@ on: # Environment variables available to all jobs and steps in this workflow env: REGISTRY_NAME: k8scc01covidacr - TRIVY_VERSION: "v0.43.1" + TRIVY_VERSION: "v0.57.0" + TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"' + TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"' + TRIVY_MAX_RETRIES: 5 + TRIVY_RETRY_DELAY: 20 SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} jobs: @@ -51,7 +55,33 @@ jobs: - name: Aqua Security Trivy image scan run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} - trivy image localhost:5000/filer-sidecar:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL + + set +e # Lets trivy return an error without it being fatal + + for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do + echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..." + + trivy image \ + --db-repository ${{ env.TRIVY_DATABASES }} \ + --java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \ + ${{ steps.build-image.outputs.full_image_name }} \ + --exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \ + EXIT_CODE=$? + + if [[ $EXIT_CODE -eq 0 ]]; then + echo "Trivy scan completed successfully." + exit 0 + elif [[ $EXIT_CODE -eq 10 ]]; then + echo "Trivy scan completed successfully. Some vulnerabilities were found." + exit 10 + elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then + echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..." + sleep ${{ env.TRIVY_RETRY_DELAY }} + else + echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting." + exit 1 + fi + done - name: Test if we should push to ACR id: should-i-push diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 1880f2d..5f00616 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -38,7 +38,11 @@ jobs: env: REGISTRY_NAME: k8scc01covidacr LOCAL_REPO: localhost:5000 - TRIVY_VERSION: "v0.43.1" + TRIVY_VERSION: "v0.57.0" + TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"' + TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"' + TRIVY_MAX_RETRIES: 5 + TRIVY_RETRY_DELAY: 20 needs: pre-build-checks runs-on: ubuntu-latest services: @@ -67,8 +71,36 @@ jobs: # Scan image for vulnerabilities - name: Aqua Security Trivy image scan run: | + printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }} - trivy image localhost:5000/filer-sidecar:latest --exit-code 0 --timeout=20m --security-checks vuln --severity CRITICAL + + set +e # Lets trivy return an error without it being fatal + + for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do + echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..." + + trivy image \ + --db-repository ${{ env.TRIVY_DATABASES }} \ + --java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \ + localhost:5000/filer-sidecar:latest \ + --exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \ + --skip-dirs /usr/local/SASHome + EXIT_CODE=$? + + if [[ $EXIT_CODE -eq 0 ]]; then + echo "Trivy scan completed successfully." + exit 0 + elif [[ $EXIT_CODE -eq 10 ]]; then + echo "Trivy scan completed successfully. Some vulnerabilities were found." + exit 0 + elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then + echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..." + sleep ${{ env.TRIVY_RETRY_DELAY }} + else + echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting." + exit 1 + fi + done - name: Push image to registry run: |