Add trivyignore to workflow (#125)

* fix: remove failing databricks-python image * feat: add new mpi-operator based image * fix: need curl for kubectl install * fix: add ca-certificates for curl * fix: upgrade debian to latested LTS to fix CVEs * fix: try to upgrade packages to fix CVEs * fix: force latest package minizip for cve * fix: remove package with CVE * fix: restore zlib package * add trivyignore to workflow
StatCan · Aug 22, 2024 · 744bc27 · 744bc27
1 parent 3be3bf6
commit 744bc27
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -49,6 +49,7 @@ jobs:
     # Scan image for vulnerabilities
     - name: Aqua Security Trivy image scan
       run: |
+        printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
         trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
 

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -63,6 +63,7 @@ jobs:
     # Scan image for vulnerabilities
     - name: Aqua Security Trivy image scan
       run: |
+        printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
         trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL