diff --git a/.github/workflows/image-arm-pr.yaml b/.github/workflows/image-arm-pr.yaml index 8252fb1f8..4943ba73c 100644 --- a/.github/workflows/image-arm-pr.yaml +++ b/.github/workflows/image-arm-pr.yaml @@ -13,31 +13,9 @@ env: FORCE_COLOR: 1 EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }} jobs: - # Populate the trivy cache once for all later jobs to use - trivy-cache: - runs-on: ARM64 - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy opensuse: uses: ./.github/workflows/reusable-docker-arm-build.yaml secrets: inherit - needs: - - trivy-cache permissions: id-token: write # OIDC support contents: write @@ -63,8 +41,6 @@ jobs: alpine: uses: ./.github/workflows/reusable-docker-arm-build.yaml secrets: inherit - needs: - - trivy-cache permissions: id-token: write # OIDC support contents: write diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index ccc445a95..adbe199f2 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -80,32 +80,8 @@ jobs: content="${content//$'\r'/'%0D'}" # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" - - # Populate the trivy cache once for all later jobs to use - trivy-cache: - runs-on: ARM64 - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - build-nvidia-base: runs-on: fast - needs: - - trivy-cache steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -209,7 +185,6 @@ jobs: statuses: read needs: - build-nvidia-base - - trivy-cache secrets: inherit with: flavor: ubuntu @@ -246,15 +221,12 @@ jobs: worker: ${{ matrix.worker }} needs: - get-core-matrix - - trivy-cache strategy: fail-fast: false matrix: ${{fromJson(needs.get-core-matrix.outputs.matrix)}} image_and_iso_arm64_generic: uses: ./.github/workflows/reusable-image-and-iso-arm-generic.yaml - needs: - - trivy-cache secrets: inherit with: flavor: "opensuse" diff --git a/.github/workflows/image-pr.yaml b/.github/workflows/image-pr.yaml index 61fb39f88..cedb8546e 100644 --- a/.github/workflows/image-pr.yaml +++ b/.github/workflows/image-pr.yaml @@ -12,31 +12,9 @@ env: FORCE_COLOR: 1 EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }} jobs: - # Populate the trivy cache once for all later jobs to use - trivy-cache: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy core-ubuntu-22-lts: uses: ./.github/workflows/reusable-build-flavor.yaml secrets: inherit - needs: - - trivy-cache permissions: contents: write security-events: write @@ -64,8 +42,6 @@ jobs: core-ubuntu-24-lts: uses: ./.github/workflows/reusable-build-flavor.yaml secrets: inherit - needs: - - trivy-cache permissions: contents: write security-events: write @@ -93,8 +69,6 @@ jobs: core-ubuntu-24-10: uses: ./.github/workflows/reusable-build-flavor.yaml secrets: inherit - needs: - - trivy-cache permissions: contents: write security-events: write @@ -122,8 +96,6 @@ jobs: core-alpine: uses: ./.github/workflows/reusable-build-flavor.yaml secrets: inherit - needs: - - trivy-cache permissions: contents: write security-events: write @@ -151,8 +123,6 @@ jobs: standard: uses: ./.github/workflows/reusable-build-provider.yaml secrets: inherit - needs: - - trivy-cache permissions: id-token: write # OIDC support contents: write @@ -185,7 +155,6 @@ jobs: flavor_release: "24.04" secureboot: false needs: - - trivy-cache - core-ubuntu-24-lts install-target: @@ -196,7 +165,6 @@ jobs: flavor_release: "24.04" secureboot: false needs: - - trivy-cache - core-ubuntu-24-lts install-secureboot: @@ -207,7 +175,6 @@ jobs: flavor_release: "24.04" secureboot: true needs: - - trivy-cache - core-ubuntu-24-lts install-alpine: @@ -217,7 +184,6 @@ jobs: flavor: alpine flavor_release: "3.19" needs: - - trivy-cache - core-alpine zfs: @@ -227,7 +193,6 @@ jobs: flavor: ubuntu flavor_release: "22.04" needs: - - trivy-cache - core-ubuntu-22-lts acceptance: @@ -237,7 +202,6 @@ jobs: flavor: ubuntu flavor_release: "24.04" needs: - - trivy-cache - core-ubuntu-24-lts acceptance-alpine: @@ -247,7 +211,6 @@ jobs: flavor: alpine flavor_release: "3.19" needs: - - trivy-cache - core-alpine bundles: @@ -257,7 +220,6 @@ jobs: flavor: ubuntu flavor_release: "24.04" needs: - - trivy-cache - core-ubuntu-24-lts reset: @@ -267,7 +229,6 @@ jobs: flavor: ubuntu flavor_release: "24.04" needs: - - trivy-cache - core-ubuntu-24-lts reset-alpine: @@ -277,7 +238,6 @@ jobs: flavor: alpine flavor_release: "3.19" needs: - - trivy-cache - core-alpine netboot: @@ -291,7 +251,6 @@ jobs: model: generic variant: core needs: - - trivy-cache - core-ubuntu-24-lts netboot-alpine: @@ -305,7 +264,6 @@ jobs: model: generic variant: core needs: - - trivy-cache - core-alpine upgrade: @@ -315,7 +273,6 @@ jobs: flavor: ubuntu flavor_release: "24.04" needs: - - trivy-cache - core-ubuntu-24-lts upgrade-alpine: @@ -325,7 +282,6 @@ jobs: flavor: alpine flavor_release: "3.19" needs: - - trivy-cache - core-alpine upgrade-latest: @@ -337,7 +293,6 @@ jobs: family: "ubuntu" # release_matcher: "23.10" # introduced so tests can be green while we wait for the kairos release with the latest flavor release needs: - - trivy-cache - core-ubuntu-24-lts # enable once the first alpine only release is out as it currently cannot find the latest alpine release properly @@ -347,7 +302,6 @@ jobs: # flavor: alpine # flavor_release: "3.19" # needs: - # - trivy-cache # - core-alpine custom-partitioning: @@ -372,7 +326,6 @@ jobs: flavor: ${{ matrix.flavor }} flavor_release: ${{ matrix.flavorRelease }} needs: - - trivy-cache - core-ubuntu-24-lts strategy: fail-fast: true @@ -389,7 +342,6 @@ jobs: flavor_release: "24.04" label: ${{ matrix.label }} needs: - - trivy-cache - core-ubuntu-24-lts strategy: fail-fast: true @@ -409,7 +361,6 @@ jobs: flavor_release: "3.19" label: ${{ matrix.label }} needs: - - trivy-cache - core-alpine strategy: fail-fast: true diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 5c01bdec5..aa6f0b1be 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -33,30 +33,9 @@ jobs: # end of optional handling for multi line json # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" - # Populate the trivy cache once for all later jobs to use - trivy-cache: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy core: uses: ./.github/workflows/reusable-build-flavor.yaml needs: - - trivy-cache - get-core-matrix permissions: id-token: write # OIDC support @@ -93,7 +72,6 @@ jobs: flavor_release: ${{ matrix.flavorRelease }} needs: - core - - trivy-cache strategy: fail-fast: true matrix: @@ -109,7 +87,6 @@ jobs: flavor_release: ${{ matrix.flavorRelease }} needs: - core - - trivy-cache strategy: fail-fast: true matrix: @@ -125,7 +102,6 @@ jobs: secureboot: true needs: - core - - trivy-cache strategy: fail-fast: true matrix: @@ -150,7 +126,6 @@ jobs: flavor_release: ${{ matrix.flavorRelease }} needs: - core - - trivy-cache strategy: fail-fast: false matrix: @@ -165,7 +140,6 @@ jobs: flavor_release: ${{ matrix.flavorRelease }} needs: - core - - trivy-cache strategy: fail-fast: false matrix: @@ -192,7 +166,6 @@ jobs: flavor_release: ${{ matrix.flavorRelease }} needs: - core - - trivy-cache strategy: fail-fast: false matrix: @@ -207,7 +180,6 @@ jobs: flavor_release: ${{ matrix.flavorRelease }} needs: - core - - trivy-cache strategy: fail-fast: false matrix: @@ -236,7 +208,6 @@ jobs: base_image: ${{ matrix.baseImage }} needs: - core - - trivy-cache strategy: fail-fast: false matrix: @@ -267,7 +238,6 @@ jobs: flavor_release: ${{ matrix.flavorRelease }} needs: - core - - trivy-cache strategy: fail-fast: false matrix: @@ -287,7 +257,6 @@ jobs: release_matcher: ${{ matrix.releaseMatcher }} # introduced so tests can be green while we wait for the kairos release with the latest flavor release needs: - core - - trivy-cache strategy: fail-fast: false matrix: @@ -322,7 +291,6 @@ jobs: flavor_release: ${{ matrix.flavorRelease }} needs: - core - - trivy-cache strategy: fail-fast: true matrix: @@ -338,7 +306,6 @@ jobs: label: ${{ matrix.label }} needs: - core - - trivy-cache strategy: fail-fast: true matrix: @@ -356,7 +323,6 @@ jobs: uses: ./.github/workflows/reusable-build-provider.yaml needs: - core - - trivy-cache permissions: id-token: write # OIDC support contents: write @@ -421,7 +387,6 @@ jobs: label: ${{ matrix.label }} needs: - standard - - trivy-cache strategy: fail-fast: false max-parallel: 2 @@ -457,7 +422,6 @@ jobs: release_matcher: ${{ matrix.releaseMatcher }} # introduced so tests can be green while we wait for the kairos release with the latest flavor release needs: - standard - - trivy-cache strategy: fail-fast: false max-parallel: 2 @@ -474,7 +438,6 @@ jobs: runs-on: ubuntu-latest if: failure() needs: - - trivy-cache - core - standard - install diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index 2cc2eb845..5965c6023 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -77,27 +77,6 @@ jobs: # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" - # Populate the trivy cache once for all later jobs to use - trivy-cache: - runs-on: ARM64 - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - build-nvidia-base: runs-on: ARM64 steps: @@ -152,7 +131,6 @@ jobs: build-arm-core: runs-on: ${{ matrix.worker }} needs: - - trivy-cache - get-core-matrix permissions: id-token: write # OIDC support @@ -186,19 +164,10 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - name: Build 🔧 run: | earthly -P +all-arm \ -VARIANT=core \ - --TRIVY_CACHE_DIR=.trivy \ -MODEL=${{ matrix.model }} \ -FLAVOR=${{ matrix.flavor }} \ -FLAVOR_RELEASE=${{ matrix.flavorRelease }} \ @@ -263,7 +232,6 @@ jobs: build-arm-standard: runs-on: ARM64 needs: - - trivy-cache - get-standard-matrix permissions: id-token: write # OIDC support @@ -301,19 +269,10 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - name: Build 🔧 run: | earthly -P +all-arm \ -VARIANT=standard \ - --TRIVY_CACHE_DIR=.trivy \ -MODEL=${{ matrix.model }} \ -K3S_VERSION=${{ matrix.k3s_version }} \ -FLAVOR=${{ matrix.flavor }} \ diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 105a567bd..45da9c133 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -93,30 +93,9 @@ jobs: # end of optional handling for multi line json echo "::set-output name=matrix::{\"include\": $content }" - # Populate the trivy cache once for all later jobs to use - trivy-cache: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - name: Install earthly - uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 - with: - repository: quay.io/kairos/packages - packages: utils/earthly - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy build-core: runs-on: ubuntu-latest needs: - - trivy-cache - get-core-matrix permissions: id-token: write # OIDC support @@ -181,18 +160,9 @@ jobs: with: repository: quay.io/kairos/packages packages: utils/earthly - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - name: Build 🔧 run: | earthly +all \ - --TRIVY_CACHE_DIR=.trivy \ --VARIANT=${{ matrix.variant }} \ --FAMILY=${{ matrix.family }} \ --FLAVOR=${{ matrix.flavor }} \ @@ -261,7 +231,6 @@ jobs: actions: read security-events: write needs: - - trivy-cache - get-uki-matrix strategy: matrix: ${{ fromJson(needs.get-uki-matrix.outputs.matrix) }} @@ -375,7 +344,6 @@ jobs: build-standard: runs-on: ubuntu-latest needs: - - trivy-cache - get-standard-matrix permissions: id-token: write # OIDC support @@ -438,18 +406,9 @@ jobs: packages: utils/earthly - name: Login to Quay Registry run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - name: Build 🔧 run: | earthly +all \ - --TRIVY_CACHE_DIR=.trivy \ --VARIANT=${{ matrix.variant }} \ --FAMILY=${{ matrix.family }} \ --FLAVOR=${{ matrix.flavor }} \ diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml index 7dff3e96c..4a1bc50b5 100644 --- a/.github/workflows/reusable-build-flavor.yaml +++ b/.github/workflows/reusable-build-flavor.yaml @@ -106,14 +106,6 @@ jobs: - name: Login to earthly run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - name: Build PR 🔧 if: ${{ github.event_name == 'pull_request' }} run: | @@ -137,7 +129,6 @@ jobs: run: | earthly --platform=linux/${{ inputs.arch }} +ci \ --SECURITY_SCANS=true \ - --TRIVY_CACHE_DIR=.trivy \ --VARIANT=${{ inputs.variant }} \ --FLAVOR=${{ inputs.flavor }} \ --FLAVOR_RELEASE=${{ inputs.flavor_release }} \ diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index b5bd5d066..c561ae709 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -90,14 +90,6 @@ jobs: - name: Login to earthly run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - name: Build PR 🔧 if: ${{ github.event_name == 'pull_request' }} run: | @@ -128,7 +120,6 @@ jobs: INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd") K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') earthly --platform=linux/${{ inputs.arch }} +ci \ - --TRIVY_CACHE_DIR=.trivy \ --SECURITY_SCANS=true \ --VARIANT=${{ inputs.variant }} \ --FLAVOR=${{ inputs.flavor }} \ diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml index 6047d51c6..14e67afa7 100644 --- a/.github/workflows/reusable-docker-arm-build.yaml +++ b/.github/workflows/reusable-docker-arm-build.yaml @@ -86,18 +86,9 @@ jobs: - name: Login to earthly run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} - - name: Populate trivy Cache - run: | - [ ! -d ".trivy" ] && mkdir -p ".trivy" - earthly +trivy-download-db --DIR .trivy - name: Build 🔧 run: | earthly -P +all-arm \ - --TRIVY_CACHE_DIR=.trivy \ --VARIANT=core \ --MODEL=${{ inputs.model }} \ --FLAVOR=${{ inputs.flavor }} \ diff --git a/Earthfile b/Earthfile index 2d6f2ddd5..1778b60f3 100644 --- a/Earthfile +++ b/Earthfile @@ -37,12 +37,11 @@ all: ARG --required MODEL ARG --required BASE_IMAGE # BASE_IMAGE is the image to apply the strategy (aka FLAVOR) on. E.g. ubuntu:20.04 - ARG TRIVY_CACHE_DIR BUILD +base-image IF [ "$SECURITY_SCANS" = "true" ] BUILD +image-sbom - BUILD +trivy-scan --CACHEDIR=$TRIVY_CACHE_DIR + BUILD +trivy-scan BUILD +grype-scan END BUILD +iso @@ -61,12 +60,11 @@ ci: ARG --required VARIANT ARG --required FAMILY - ARG TRIVY_CACHE_DIR BUILD +base-image IF [ "$SECURITY_SCANS" = "true" ] BUILD +image-sbom - BUILD +trivy-scan --CACHEDIR=$TRIVY_CACHE_DIR + BUILD +trivy-scan BUILD +grype-scan END BUILD +iso @@ -81,12 +79,11 @@ all-arm: ARG COMPRESS_IMG=true ARG SECURITY_SCANS=true - ARG TRIVY_CACHE_DIR BUILD --platform=linux/arm64 +base-image IF [ "$SECURITY_SCANS" = "true" ] BUILD --platform=linux/arm64 +image-sbom - BUILD --platform=linux/arm64 +trivy-scan --CACHEDIR=$TRIVY_CACHE_DIR + BUILD --platform=linux/arm64 +trivy-scan BUILD --platform=linux/arm64 +grype-scan END @@ -767,15 +764,6 @@ datasource-iso: RUN mkisofs -output ci.iso -volid cidata -joliet -rock user-data meta-data SAVE ARTIFACT /build/ci.iso iso.iso AS LOCAL build/datasource.iso -trivy-download-db: - ARG TRIVY_VERSION - ARG DIR=trivy-cache - FROM aquasec/trivy:$TRIVY_VERSION - - COPY $DIR /trivy-cache - RUN /usr/local/bin/trivy --cache-dir /trivy-cache fs --download-db-only - SAVE ARTIFACT /trivy-cache AS LOCAL $DIR - trivy: ARG TRIVY_VERSION FROM aquasec/trivy:$TRIVY_VERSION @@ -787,25 +775,21 @@ trivy: ### trivy-scan: ARG TARGETARCH - ARG CACHEDIR # Use base-image so it can read original os-release file FROM +base-image ARG ISO_NAME=$(cat /etc/kairos-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') - ENV TRIVY_CACHE=/trivy-cache - IF [ -n "$CACHEDIR" ] - COPY $CACHEDIR $TRIVY_CACHE - END - COPY +trivy/trivy /trivy COPY +trivy/contrib /contrib + # This repo seems to have no request limit + ENV TRIVY_DB_REPOSITORY=public.ecr.aws/aquasecurity/trivy-db:2 WORKDIR /build - RUN /trivy --cache-dir "${TRIVY_CACHE}" filesystem --skip-dirs /tmp --timeout 30m --format sarif -o report.sarif --no-progress / - RUN /trivy --cache-dir "${TRIVY_CACHE}" filesystem --skip-dirs /tmp --timeout 30m --format template --template "@/contrib/html.tpl" -o report.html --no-progress / - RUN /trivy --cache-dir "${TRIVY_CACHE}" filesystem --skip-dirs /tmp --timeout 30m -f json -o results.json --no-progress / + RUN /trivy filesystem --skip-dirs /tmp --timeout 30m --format sarif -o report.sarif --no-progress / + RUN /trivy filesystem --skip-dirs /tmp --timeout 30m --format template --template "@/contrib/html.tpl" -o report.html --no-progress / + RUN /trivy filesystem --skip-dirs /tmp --timeout 30m -f json -o results.json --no-progress / SAVE ARTIFACT /build/report.sarif report.sarif AS LOCAL build/${ISO_NAME}-trivy.sarif SAVE ARTIFACT /build/report.html report.html AS LOCAL build/${ISO_NAME}-trivy.html SAVE ARTIFACT /build/results.json results.json AS LOCAL build/${ISO_NAME}-trivy.json