From 744bc274ef883ee2075de8cab41192d911d84541 Mon Sep 17 00:00:00 2001
From: Pat Ledgerwood <32804494+vexingly@users.noreply.github.com>
Date: Thu, 22 Aug 2024 13:21:31 -0400
Subject: [PATCH] Add trivyignore to workflow (#125)

* fix: remove failing databricks-python image

* feat: add new mpi-operator based image

* fix: need curl for kubectl install

* fix: add ca-certificates for curl

* fix: upgrade debian to latested LTS to fix CVEs

* fix: try to upgrade packages to fix CVEs

* fix: force latest package minizip for cve

* fix: remove package with CVE

* fix: restore zlib package

* add trivyignore to workflow
---
 .github/workflows/build.yml   | 1 +
 .github/workflows/publish.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2656f43..56a5de0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -49,6 +49,7 @@ jobs:
     # Scan image for vulnerabilities
     - name: Aqua Security Trivy image scan
       run: |
+        printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
         trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2f9a2eb..10a56be 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -63,6 +63,7 @@ jobs:
     # Scan image for vulnerabilities
     - name: Aqua Security Trivy image scan
       run: |
+        printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
         trivy image localhost:5000/${{ matrix.image }}:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL