1313 release_branch :
1414 description : " Optional. Set minor version of release you want to scan. e.g.: 1.23"
1515 required : false
16- scan_several_lastest_releases :
16+ scan_several_latest_releases :
1717 description : " Optional. Whether to scan last several releases or not. true/false. For scheduled pipelines it is always true. Default is: false."
1818 required : false
1919 latest_releases_amount :
2020 description : " Optional. Number of latest releases to scan. Default is: 3"
2121 required : false
22- severity :
23- description : " Optional. Vulnerabilities severity to scan. Default is: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL "
22+ release_in_dev :
23+ description : ' If true, release tag will be searched in dev registry instead of prod '
2424 required : false
25+ default : ' False'
2526 svace_enabled :
2627 description : " Enable svace build and analyze"
2728 type : boolean
@@ -39,43 +40,113 @@ jobs:
3940 name : CVE scan for PR
4041 runs-on : [self-hosted, regular]
4142 needs : [build_dev]
43+ permissions :
44+ contents : read
45+ id-token : write
4246 steps :
4347 - uses : actions/checkout@v4
44- - uses : deckhouse/modules-actions/cve_scan@v6
48+ - name : Split repository name
49+ id : split
50+ env :
51+ REPO : ${{ github.repository }}
52+ run : echo "name=${REPO##*/}" >> $GITHUB_OUTPUT
53+
54+ - name : Import secrets
55+ id : secrets
56+ uses : hashicorp/vault-action@v2
57+ with :
58+ url : https://seguro.flant.com
59+ path : github
60+ role : " ${{ steps.split.outputs.name }}"
61+ method : jwt
62+ jwtGithubAudience : github-access-aud
63+ secrets : |
64+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_DEV_REGISTRY_HOST | DECKHOUSE_DEV_REGISTRY_HOST ;
65+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken login | DECKHOUSE_DEV_REGISTRY_USER ;
66+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken password | DECKHOUSE_DEV_REGISTRY_PASSWORD ;
67+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_READ_REGISTRY_HOST | PROD_READ_REGISTRY ;
68+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license login | PROD_READ_REGISTRY_USER ;
69+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license password | PROD_READ_REGISTRY_PASSWORD ;
70+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_TOKEN | DD_TOKEN ;
71+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_URL | DD_URL ;
72+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_SSH_PRIVATE_KEY | CVE_TEST_SSH_PRIVATE_KEY ;
73+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_REPO_GIT | CVE_TEST_REPO_GIT ;
74+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_PRIVATE_REPO | DECKHOUSE_PRIVATE_REPO ;
75+ projects/data/b050f3bd-733f-4746-9640-9df80d484074/CODEOWNERS_REPO_TOKEN CODEOWNERS_REPO_TOKEN | CODEOWNERS_REPO_TOKEN ;
76+ - uses : deckhouse/modules-actions/cve_scan@v11
4577 with :
46- tag : pr${{ github.event.number }}
47- tag_type : " dev"
48- module_name : ${{ vars.MODULE_NAME }}
49- dd_url : ${{ secrets.DEFECTDOJO_HOST }}
50- dd_token : ${{ secrets.DEFECTDOJO_API_TOKEN }}
51- prod_registry : " registry.deckhouse.io"
52- prod_registry_user : " license-token"
53- prod_registry_password : ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
54- dev_registry : ${{ vars.DEV_REGISTRY }}
55- dev_registry_user : ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
56- dev_registry_password : ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
57- deckhouse_private_repo : ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
58- severity : " HIGH,CRITICAL"
78+ source_tag : ' pr${{ github.event.number }}'
79+ case : " External Modules"
80+ external_module_name : ${{ vars.MODULE_NAME }}
81+ dd_url : ${{ steps.secrets.outputs.DD_URL }}
82+ dd_token : ${{ steps.secrets.outputs.DD_TOKEN }}
83+ prod_registry : ${{ steps.secrets.outputs.PROD_READ_REGISTRY }}
84+ prod_registry_user : ${{ steps.secrets.outputs.PROD_READ_REGISTRY_USER }}
85+ prod_registry_password : ${{ steps.secrets.outputs.PROD_READ_REGISTRY_PASSWORD }}
86+ dev_registry : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }}
87+ dev_registry_user : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
88+ dev_registry_password : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
89+ deckhouse_private_repo : ${{ steps.secrets.outputs.DECKHOUSE_PRIVATE_REPO }}
90+ codeowners_repo_token : ${{ steps.secrets.outputs.CODEOWNERS_REPO_TOKEN }}
91+ cve_test_repo_git : ${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }}
92+ cve_ssh_private_key : ${{ steps.secrets.outputs.CVE_TEST_SSH_PRIVATE_KEY }}
93+ trivy_reports_log_output : " 1"
5994 cve_scan :
6095 if : github.event_name != 'pull_request'
6196 name : Regular CVE scan
6297 runs-on : [self-hosted, regular]
98+ needs : [build_dev]
99+ permissions :
100+ contents : read
101+ id-token : write
63102 steps :
64- - uses : actions/checkout@v4
65- - uses : deckhouse/modules-actions/cve_scan@v6
103+ - uses : actions/checkout@v11
104+ - name : Split repository name
105+ id : split
106+ env :
107+ REPO : ${{ github.repository }}
108+ run : echo "name=${REPO##*/}" >> $GITHUB_OUTPUT
109+
110+ - name : Import secrets
111+ id : secrets
112+ uses : hashicorp/vault-action@v2
113+ with :
114+ url : https://seguro.flant.com
115+ path : github
116+ role : " ${{ steps.split.outputs.name }}"
117+ method : jwt
118+ jwtGithubAudience : github-access-aud
119+ secrets : |
120+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_DEV_REGISTRY_HOST | DECKHOUSE_DEV_REGISTRY_HOST ;
121+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken login | DECKHOUSE_DEV_REGISTRY_USER ;
122+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken password | DECKHOUSE_DEV_REGISTRY_PASSWORD ;
123+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_READ_REGISTRY_HOST | PROD_READ_REGISTRY ;
124+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license login | PROD_READ_REGISTRY_USER ;
125+ projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license password | PROD_READ_REGISTRY_PASSWORD ;
126+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_TOKEN | DD_TOKEN ;
127+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_URL | DD_URL ;
128+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_SSH_PRIVATE_KEY | CVE_TEST_SSH_PRIVATE_KEY ;
129+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_REPO_GIT | CVE_TEST_REPO_GIT ;
130+ projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_PRIVATE_REPO | DECKHOUSE_PRIVATE_REPO ;
131+ projects/data/b050f3bd-733f-4746-9640-9df80d484074/CODEOWNERS_REPO_TOKEN CODEOWNERS_REPO_TOKEN | CODEOWNERS_REPO_TOKEN ;
132+ - uses : deckhouse/modules-actions/cve_scan@main
66133 with :
67- tag : ${{ github.event.inputs.release_branch || github.event.repository.default_branch }}
68- tag_type : " dev "
69- module_name : ${{ vars.MODULE_NAME }}
70- dd_url : ${{ secrets.DEFECTDOJO_HOST }}
71- dd_token : ${{ secrets.DEFECTDOJO_API_TOKEN }}
72- prod_registry : " registry.deckhouse.io "
73- prod_registry_user : " license-token "
74- prod_registry_password : ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
75- dev_registry : ${{ vars.DEV_REGISTRY }}
76- dev_registry_user : ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
77- dev_registry_password : ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
78- deckhouse_private_repo : ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
79- scan_several_lastest_releases : ${{ github.event.inputs.scan_several_lastest_releases }}
134+ source_tag : ${{ github.event.inputs.release_branch || github.event.repository.default_branch }}
135+ case : " External Modules "
136+ external_module_name : ${{ vars.MODULE_NAME }}
137+ dd_url : ${{ steps. secrets.outputs.DD_URL }}
138+ dd_token : ${{ steps. secrets.outputs.DD_TOKEN }}
139+ prod_registry : ${{ steps.secrets.outputs.PROD_READ_REGISTRY }}
140+ prod_registry_user : ${{ steps.secrets.outputs.PROD_READ_REGISTRY_USER }}
141+ prod_registry_password : ${{ steps. secrets.outputs.PROD_READ_REGISTRY_PASSWORD }}
142+ dev_registry : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }}
143+ dev_registry_user : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
144+ dev_registry_password : ${{ steps. secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
145+ deckhouse_private_repo : ${{ steps. secrets.outputs .DECKHOUSE_PRIVATE_REPO }}
146+ scan_several_latest_releases : ${{ github.event.inputs.scan_several_latest_releases || 'True' }}
80147 latest_releases_amount : ${{ github.event.inputs.latest_releases_amount || '3' }}
81- severity : ${{ github.event.inputs.severity }}
148+ codeowners_repo_token : ${{ steps.secrets.outputs.CODEOWNERS_REPO_TOKEN }}
149+ cve_test_repo_git : ${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }}
150+ cve_ssh_private_key : ${{ steps.secrets.outputs.CVE_TEST_SSH_PRIVATE_KEY }}
151+ release_in_dev : ${{ github.event.inputs.release_in_dev || 'False' }}
152+ trivy_reports_log_output : " 1"
0 commit comments