Skip to content

Commit 1c908d6

Browse files
committed
Fix trviy scan flow
Signed-off-by: Prajyot-Parab <[email protected]>
1 parent 41331fa commit 1c908d6

File tree

3 files changed

+65
-3
lines changed

3 files changed

+65
-3
lines changed

Makefile

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,9 @@ OUTPUT_TYPE ?= type=registry
8888
GO_VERSION ?=1.23.8
8989
GO_CONTAINER_IMAGE ?= golang:$(GO_VERSION)
9090

91+
# Trivy
92+
TRIVY_VER := 0.61.0
93+
9194
# kind
9295
CAPI_KIND_CLUSTER_NAME ?= capi-test
9396

@@ -552,8 +555,8 @@ verify-conversions: $(CONVERSION_VERIFIER) ## Verifies expected API conversion a
552555
$(CONVERSION_VERIFIER)
553556

554557
.PHONY: verify-container-images
555-
verify-container-images: $(TRIVY) ## Verify container images
556-
TRACE=$(TRACE) ./hack/verify-container-images.sh
558+
verify-container-images: ## Verify container images
559+
TRACE=$(TRACE) ./hack/verify-container-images.sh $(TRIVY_VER)
557560

558561
.PHONY: verify-govulncheck
559562
verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities

hack/ensure-trivy.sh

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
#!/bin/bash
2+
3+
# Copyright 2025 The Kubernetes Authors.
4+
#
5+
# Licensed under the Apache License, Version 2.0 (the "License");
6+
# you may not use this file except in compliance with the License.
7+
# You may obtain a copy of the License at
8+
#
9+
# http://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# Unless required by applicable law or agreed to in writing, software
12+
# distributed under the License is distributed on an "AS IS" BASIS,
13+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
# See the License for the specific language governing permissions and
15+
# limitations under the License.
16+
17+
set -o errexit
18+
set -o nounset
19+
set -o pipefail
20+
21+
if [[ "${TRACE-0}" == "1" ]]; then
22+
set -o xtrace
23+
fi
24+
25+
VERSION=${1}
26+
27+
GO_OS="$(go env GOOS)"
28+
if [[ "${GO_OS}" == "linux" ]]; then
29+
TRIVY_OS="Linux"
30+
elif [[ "${GO_OS}" == "darwin"* ]]; then
31+
TRIVY_OS="macOS"
32+
fi
33+
34+
GO_ARCH="$(go env GOARCH)"
35+
if [[ "${GO_ARCH}" == "amd" ]]; then
36+
TRIVY_ARCH="32bit"
37+
elif [[ "${GO_ARCH}" == "amd64"* ]]; then
38+
TRIVY_ARCH="64bit"
39+
elif [[ "${GO_ARCH}" == "arm" ]]; then
40+
TRIVY_ARCH="ARM"
41+
elif [[ "${GO_ARCH}" == "arm64" ]]; then
42+
TRIVY_ARCH="ARM64"
43+
fi
44+
45+
TOOL_BIN=hack/tools/bin
46+
mkdir -p ${TOOL_BIN}
47+
48+
TRIVY="${TOOL_BIN}/trivy/${VERSION}/trivy"
49+
50+
# Downloads trivy scanner
51+
if [ ! -f "$TRIVY" ]; then
52+
curl -L -o ${TOOL_BIN}/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz"
53+
mkdir -p "$(dirname "$0")/tools/bin/trivy/${VERSION}"
54+
tar -xf "${TOOL_BIN}/trivy.tar.gz" -C "${TOOL_BIN}/trivy/${VERSION}" trivy
55+
chmod +x "${TOOL_BIN}/trivy/${VERSION}/trivy"
56+
rm "${TOOL_BIN}/trivy.tar.gz"
57+
fi

hack/verify-container-images.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,11 +22,13 @@ if [[ "${TRACE-0}" == "1" ]]; then
2222
set -o xtrace
2323
fi
2424

25+
VERSION=${1}
2526
GO_ARCH="$(go env GOARCH)"
2627

2728
REPO_ROOT=$(git rev-parse --show-toplevel)
29+
"${REPO_ROOT}/hack/ensure-trivy.sh" "${VERSION}"
2830

29-
TRIVY="${REPO_ROOT}/hack/tools/bin/trivy"
31+
TRIVY="${REPO_ROOT}/hack/tools/bin/trivy/${VERSION}/trivy"
3032

3133
# Builds all the container images to be scanned and cleans up changes to ./*manager_image_patch.yaml ./*manager_pull_policy.yaml.
3234
make REGISTRY=gcr.io/k8s-staging-capi-ibmcloud PULL_POLICY=IfNotPresent TAG=dev OUTPUT_TYPE=type=docker docker-build

0 commit comments

Comments
 (0)