Fix issue with shell variable not accessible to xargs spawned shell

ddelnano · ddelnano · commit 1c936712c2c7 · 2025-07-16T17:56:39.000Z
Signed-off-by: Dom Del Nano &lt;ddelnano@gmail.com&gt;
diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml
@@ -50,8 +50,8 @@ jobs:
         mkdir -p sarif/${{ matrix.artifact }}
         ./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif'
 
-        # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates
-        # and requires some additional work.
+        # TODO(ddelnano): Remove this check once the operator dependency images are supported.
+        # This requires rendering helm templates and requires some additional work.
         if [ "${{ matrix.artifact }}" = "operator" ]; then
           echo "Skipping operator image scan for now."
           exit 0
@@ -61,10 +61,11 @@ jobs:
         ./scripts/bazel_ignore_codes.sh build \
           //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list
 
+        mkdir -p sarif/${{ matrix.artifact }}_deps
         # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-)
-        deps_output_dir=sarif/${{ matrix.artifact }}_deps
-        mkdir -p ${deps_output_dir}
-        cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=${deps_output_dir}/$(basename {} | cut -d":" -f1).sarif'
+        # The deps images must have their file named processed differently to avoid conflicts with the image name. For example,
+        # ory/hydra:v1.9.2-alpine and ory/hydra:v1.9.2-sqlite must not conflict.
+        cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}_deps/$(basename {} | cut -d"@" -f1 | tr ":" "_").sarif'
       # yamllint enable rule:line-length
     - run: |
         # Loop through all ${artifact} and ${artifact}_deps sarif files
@@ -78,8 +79,8 @@ jobs:
     - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
       with:
         sarif_file: sarif/${{ matrix.artifact }}
-    # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates
-    # and requires some additional work.
+    # TODO(ddelnano): Remove this check once the operator dependency images are supported.
+    # This requires rendering helm templates and requires some additional work.
     - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
       if: ${{ matrix.artifact != 'operator' }}
       with:
