Skip to content

Commit f281fa8

Browse files
committed
Merge branch 'main' into astef-prototype
Signed-off-by: Aleksandr Zimin <alexandr.zimin@flant.com>
2 parents 7de532e + 0887b93 commit f281fa8

1 file changed

Lines changed: 104 additions & 33 deletions

File tree

.github/workflows/trivy_image_check.yaml

Lines changed: 104 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -13,15 +13,16 @@ on:
1313
release_branch:
1414
description: "Optional. Set minor version of release you want to scan. e.g.: 1.23"
1515
required: false
16-
scan_several_lastest_releases:
16+
scan_several_latest_releases:
1717
description: "Optional. Whether to scan last several releases or not. true/false. For scheduled pipelines it is always true. Default is: false."
1818
required: false
1919
latest_releases_amount:
2020
description: "Optional. Number of latest releases to scan. Default is: 3"
2121
required: false
22-
severity:
23-
description: "Optional. Vulnerabilities severity to scan. Default is: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
22+
release_in_dev:
23+
description: 'If true, release tag will be searched in dev registry instead of prod'
2424
required: false
25+
default: 'False'
2526
svace_enabled:
2627
description: "Enable svace build and analyze"
2728
type: boolean
@@ -39,43 +40,113 @@ jobs:
3940
name: CVE scan for PR
4041
runs-on: [self-hosted, regular]
4142
needs: [build_dev]
43+
permissions:
44+
contents: read
45+
id-token: write
4246
steps:
4347
- uses: actions/checkout@v4
44-
- uses: deckhouse/modules-actions/cve_scan@v6
48+
- name: Split repository name
49+
id: split
50+
env:
51+
REPO: ${{ github.repository }}
52+
run: echo "name=${REPO##*/}" >> $GITHUB_OUTPUT
53+
54+
- name: Import secrets
55+
id: secrets
56+
uses: hashicorp/vault-action@v2
57+
with:
58+
url: https://seguro.flant.com
59+
path: github
60+
role: "${{ steps.split.outputs.name }}"
61+
method: jwt
62+
jwtGithubAudience: github-access-aud
63+
secrets: |
64+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_DEV_REGISTRY_HOST | DECKHOUSE_DEV_REGISTRY_HOST ;
65+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken login | DECKHOUSE_DEV_REGISTRY_USER ;
66+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken password | DECKHOUSE_DEV_REGISTRY_PASSWORD ;
67+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_READ_REGISTRY_HOST | PROD_READ_REGISTRY ;
68+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license login | PROD_READ_REGISTRY_USER ;
69+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license password | PROD_READ_REGISTRY_PASSWORD ;
70+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_TOKEN | DD_TOKEN ;
71+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_URL | DD_URL ;
72+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_SSH_PRIVATE_KEY | CVE_TEST_SSH_PRIVATE_KEY ;
73+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_REPO_GIT | CVE_TEST_REPO_GIT ;
74+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_PRIVATE_REPO | DECKHOUSE_PRIVATE_REPO ;
75+
projects/data/b050f3bd-733f-4746-9640-9df80d484074/CODEOWNERS_REPO_TOKEN CODEOWNERS_REPO_TOKEN | CODEOWNERS_REPO_TOKEN ;
76+
- uses: deckhouse/modules-actions/cve_scan@v11
4577
with:
46-
tag: pr${{ github.event.number }}
47-
tag_type: "dev"
48-
module_name: ${{ vars.MODULE_NAME }}
49-
dd_url: ${{ secrets.DEFECTDOJO_HOST }}
50-
dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }}
51-
prod_registry: "registry.deckhouse.io"
52-
prod_registry_user: "license-token"
53-
prod_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
54-
dev_registry: ${{ vars.DEV_REGISTRY }}
55-
dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
56-
dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
57-
deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
58-
severity: "HIGH,CRITICAL"
78+
source_tag: 'pr${{ github.event.number }}'
79+
case: "External Modules"
80+
external_module_name: ${{ vars.MODULE_NAME }}
81+
dd_url: ${{ steps.secrets.outputs.DD_URL }}
82+
dd_token: ${{ steps.secrets.outputs.DD_TOKEN }}
83+
prod_registry: ${{ steps.secrets.outputs.PROD_READ_REGISTRY }}
84+
prod_registry_user: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_USER }}
85+
prod_registry_password: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_PASSWORD }}
86+
dev_registry: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }}
87+
dev_registry_user: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
88+
dev_registry_password: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
89+
deckhouse_private_repo: ${{ steps.secrets.outputs.DECKHOUSE_PRIVATE_REPO }}
90+
codeowners_repo_token: ${{ steps.secrets.outputs.CODEOWNERS_REPO_TOKEN }}
91+
cve_test_repo_git: ${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }}
92+
cve_ssh_private_key: ${{ steps.secrets.outputs.CVE_TEST_SSH_PRIVATE_KEY }}
93+
trivy_reports_log_output: "1"
5994
cve_scan:
6095
if: github.event_name != 'pull_request'
6196
name: Regular CVE scan
6297
runs-on: [self-hosted, regular]
98+
needs: [build_dev]
99+
permissions:
100+
contents: read
101+
id-token: write
63102
steps:
64-
- uses: actions/checkout@v4
65-
- uses: deckhouse/modules-actions/cve_scan@v6
103+
- uses: actions/checkout@v11
104+
- name: Split repository name
105+
id: split
106+
env:
107+
REPO: ${{ github.repository }}
108+
run: echo "name=${REPO##*/}" >> $GITHUB_OUTPUT
109+
110+
- name: Import secrets
111+
id: secrets
112+
uses: hashicorp/vault-action@v2
113+
with:
114+
url: https://seguro.flant.com
115+
path: github
116+
role: "${{ steps.split.outputs.name }}"
117+
method: jwt
118+
jwtGithubAudience: github-access-aud
119+
secrets: |
120+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_DEV_REGISTRY_HOST | DECKHOUSE_DEV_REGISTRY_HOST ;
121+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken login | DECKHOUSE_DEV_REGISTRY_USER ;
122+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken password | DECKHOUSE_DEV_REGISTRY_PASSWORD ;
123+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_READ_REGISTRY_HOST | PROD_READ_REGISTRY ;
124+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license login | PROD_READ_REGISTRY_USER ;
125+
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license password | PROD_READ_REGISTRY_PASSWORD ;
126+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_TOKEN | DD_TOKEN ;
127+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_URL | DD_URL ;
128+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_SSH_PRIVATE_KEY | CVE_TEST_SSH_PRIVATE_KEY ;
129+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_REPO_GIT | CVE_TEST_REPO_GIT ;
130+
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_PRIVATE_REPO | DECKHOUSE_PRIVATE_REPO ;
131+
projects/data/b050f3bd-733f-4746-9640-9df80d484074/CODEOWNERS_REPO_TOKEN CODEOWNERS_REPO_TOKEN | CODEOWNERS_REPO_TOKEN ;
132+
- uses: deckhouse/modules-actions/cve_scan@main
66133
with:
67-
tag: ${{ github.event.inputs.release_branch || github.event.repository.default_branch }}
68-
tag_type: "dev"
69-
module_name: ${{ vars.MODULE_NAME }}
70-
dd_url: ${{ secrets.DEFECTDOJO_HOST }}
71-
dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }}
72-
prod_registry: "registry.deckhouse.io"
73-
prod_registry_user: "license-token"
74-
prod_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
75-
dev_registry: ${{ vars.DEV_REGISTRY }}
76-
dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
77-
dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
78-
deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
79-
scan_several_lastest_releases: ${{ github.event.inputs.scan_several_lastest_releases }}
134+
source_tag: ${{ github.event.inputs.release_branch || github.event.repository.default_branch }}
135+
case: "External Modules"
136+
external_module_name: ${{ vars.MODULE_NAME }}
137+
dd_url: ${{ steps.secrets.outputs.DD_URL }}
138+
dd_token: ${{ steps.secrets.outputs.DD_TOKEN }}
139+
prod_registry: ${{ steps.secrets.outputs.PROD_READ_REGISTRY }}
140+
prod_registry_user: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_USER }}
141+
prod_registry_password: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_PASSWORD }}
142+
dev_registry: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }}
143+
dev_registry_user: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
144+
dev_registry_password: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
145+
deckhouse_private_repo: ${{ steps.secrets.outputs.DECKHOUSE_PRIVATE_REPO }}
146+
scan_several_latest_releases: ${{ github.event.inputs.scan_several_latest_releases || 'True'}}
80147
latest_releases_amount: ${{ github.event.inputs.latest_releases_amount || '3' }}
81-
severity: ${{ github.event.inputs.severity }}
148+
codeowners_repo_token: ${{ steps.secrets.outputs.CODEOWNERS_REPO_TOKEN }}
149+
cve_test_repo_git: ${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }}
150+
cve_ssh_private_key: ${{ steps.secrets.outputs.CVE_TEST_SSH_PRIVATE_KEY }}
151+
release_in_dev: ${{ github.event.inputs.release_in_dev || 'False' }}
152+
trivy_reports_log_output: "1"

0 commit comments

Comments
 (0)