Fix

Signed-off-by: v.oleynikov <vasily.oleynikov@flant.com>
deckhouse · Aug 19, 2024 · 512ee38 · 512ee38
1 parent e9ed86f
commit 512ee38
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml
@@ -0,0 +1,31 @@
+name: Trivy check for sub repos
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: Trivy check for sub repos
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Prepare sub repo
+        run: |
+          git clone --depth 1 --branch v3.7.2 ${{ secrets.SOURCE_REPO }}/ceph/ceph-csi.git ./ceph-csi
+#          cp -R ./images/csi-ceph/patches ./ceph-csi
+#          cd ./ceph-csi
+#          for patchfile in ./patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
+#          cd ..
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
diff --git a/images/csi-ceph/werf.inc.yaml b/images/csi-ceph/werf.inc.yaml
@@ -1,3 +1,6 @@
+# While changing tag, you MUST change it in .github/workflows/trivy_check.yaml
+{{- $version := "3.7.2" }}
+
 {{- $binaries := "/cephcsi /sbin/mount.ceph /usr/bin/ceph-fuse /bin/mount /bin/umount /sbin/fsck /sbin/modprobe /bin/kmod /usr/bin/rbd /usr/bin/rbd-nbd /sbin/blkid /sbin/mkfs /sbin/mkfs.ext4 /sbin/mkfs.xfs /sbin/blockdev /sbin/dumpe2fs /usr/sbin/xfs_io /usr/sbin/xfs_growfs /sbin/resize2fs" }}
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.io/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 {{- $_ := set . "BASE_SCRATCH"    "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}
@@ -11,7 +14,7 @@ shell:
   install:
     - mkdir -p /src
     - cd /src
-    - git clone --branch v3.7.2 --depth 1 {{ env "SOURCE_REPO" }}/ceph/ceph-csi.git .
+    - git clone --branch v{{ $version }} --depth 1 {{ env "SOURCE_REPO" }}/ceph/ceph-csi.git .
     - export GOPROXY={{ env "GOPROXY" }}
     - export CGO_ENABLED=1
     - make cephcsi

diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1,2 @@
+format: table
+exit-code: 1