update trivy (#330)

EveningStarlight · web-flow · commit a80f4c0f5212 · 2024-11-19T12:14:19.000-05:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -15,7 +15,11 @@ env:
   REGISTRY_NAME: k8scc01covidacr
   # Dev Registry cannot be used in 2.0 since we don't have access to the acrdev
   DEV_REGISTRY_NAME: k8scc01covidacrdev
-  TRIVY_VERSION: "v0.43.1"
+  TRIVY_VERSION: "v0.57.0"
+  TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
+  TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
+  TRIVY_MAX_RETRIES: 5
+  TRIVY_RETRY_DELAY: 20
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   HADOLINT_VERSION: "2.12.0"
 
@@ -78,10 +82,38 @@ jobs:
         docker push localhost:5000/jupyter-apis-aaw2:${{ github.sha }}
         docker image prune
     
+    # Scan image for vulnerabilities
     - name: Aqua Security Trivy image scan
       run: |
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
-        trivy image localhost:5000/jupyter-apis-aaw2:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
+        
+        set +e # Lets trivy return an error without it being fatal
+
+        for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do
+          echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..."
+
+          trivy image \
+            --db-repository ${{ env.TRIVY_DATABASES }} \
+            --java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \
+            localhost:5000/jupyter-apis-aaw2:${{ github.sha }} \
+            --exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \
+            --skip-dirs /usr/local/SASHome
+          EXIT_CODE=$?
+
+          if [[ $EXIT_CODE -eq 0 ]]; then
+            echo "Trivy scan completed successfully."
+            exit 0
+          elif [[ $EXIT_CODE -eq 10 ]]; then
+            echo "Trivy scan completed successfully. Some vulnerabilities were found."
+            exit 10
+          elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1))  ]]; then
+            echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..."
+            sleep ${{ env.TRIVY_RETRY_DELAY }}
+          else
+            echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting."
+            exit 1
+          fi
+        done
 
     # Container build and push to a Azure Container registry (ACR)
     - name: Push to ACR if necessary
