Fix trviy scan flow (#2310)

Signed-off-by: Prajyot-Parab <[email protected]>

Author: Prajyot-Parab

Makefile

@@ -49,7 +49,6 @@ CONTROLLER_GEN := $(TOOLS_BIN_DIR)/controller-gen
 CONVERSION_VERIFIER := $(TOOLS_BIN_DIR)/conversion-verifier
 SETUP_ENVTEST := $(TOOLS_BIN_DIR)/setup-envtest
 GOVULNCHECK := $(TOOLS_BIN_DIR)/govulncheck
-TRIVY := $(TOOLS_BIN_DIR)/trivy
 RELEASE_NOTES := $(TOOLS_BIN_DIR)/release-notes
 
 STAGING_REGISTRY ?= gcr.io/k8s-staging-capi-ibmcloud
@@ -88,6 +87,9 @@ OUTPUT_TYPE ?= type=registry
 GO_VERSION ?=1.23.8
 GO_CONTAINER_IMAGE ?= golang:$(GO_VERSION)
 
+# Trivy
+TRIVY_VER := 0.61.1
+
 # kind
 CAPI_KIND_CLUSTER_NAME ?= capi-test
 
@@ -552,8 +554,8 @@ verify-conversions: $(CONVERSION_VERIFIER) ## Verifies expected API conversion a
 	$(CONVERSION_VERIFIER)
 
 .PHONY: verify-container-images
-verify-container-images: $(TRIVY) ## Verify container images
-	TRACE=$(TRACE) ./hack/verify-container-images.sh
+verify-container-images: ## Verify container images
+	TRACE=$(TRACE) ./hack/verify-container-images.sh $(TRIVY_VER)
 
 .PHONY: verify-govulncheck
 verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities

hack/ensure-trivy.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Copyright 2025 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [[ "${TRACE-0}" == "1" ]]; then
+    set -o xtrace
+fi
+
+VERSION=${1}
+
+GO_OS="$(go env GOOS)"
+if [[ "${GO_OS}" == "linux" ]]; then
+  TRIVY_OS="Linux"
+elif [[ "${GO_OS}" == "darwin"* ]]; then
+  TRIVY_OS="macOS"
+fi
+
+GO_ARCH="$(go env GOARCH)"
+if [[ "${GO_ARCH}" == "amd" ]]; then
+  TRIVY_ARCH="32bit"
+elif [[ "${GO_ARCH}" == "amd64"* ]]; then
+  TRIVY_ARCH="64bit"
+elif [[ "${GO_ARCH}" == "arm" ]]; then
+  TRIVY_ARCH="ARM"
+elif [[ "${GO_ARCH}" == "arm64" ]]; then
+  TRIVY_ARCH="ARM64"
+elif [[ "${GO_ARCH}" == "ppc64le" ]]; then
+  TRIVY_ARCH="PPC64LE"
+fi
+
+TOOL_BIN=hack/tools/bin
+mkdir -p ${TOOL_BIN}
+
+TRIVY="${TOOL_BIN}/trivy/${VERSION}/trivy"
+
+# Downloads trivy scanner
+if [ ! -f "$TRIVY" ]; then
+  curl -L -o ${TOOL_BIN}/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz"
+  mkdir -p "$(dirname "$0")/tools/bin/trivy/${VERSION}"
+  tar -xf "${TOOL_BIN}/trivy.tar.gz" -C "${TOOL_BIN}/trivy/${VERSION}" trivy
+  chmod +x "${TOOL_BIN}/trivy/${VERSION}/trivy"
+  rm "${TOOL_BIN}/trivy.tar.gz"
+fi

hack/tools/Makefile

@@ -126,10 +126,6 @@ GOVULNCHECK := $(BIN_DIR)/govulncheck
 $(GOVULNCHECK): $(BIN_DIR) go.mod go.sum ## Build a local copy of govulncheck.
 	go build -tags=capibmtools -o $@ golang.org/x/vuln/cmd/govulncheck
 
-TRIVY := $(BIN_DIR)/trivy
-$(TRIVY): $(BIN_DIR) go.mod go.sum ## Build a local copy of trivy.
-	go build -tags=capibmtools -o $@ github.com/aquasecurity/trivy/cmd/trivy
-
 RELEASE_NOTES := $(BIN_DIR)/release-notes
 $(RELEASE_NOTES): $(BIN_DIR) go.mod go.sum ## Build a local copy of release-notes.
 	go build -tags=capibmtools -o $@ k8s.io/release/cmd/release-notes