From 512ee3873ecb6ca3afe5244b27d9af5e70641a9a Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Mon, 19 Aug 2024 20:56:54 +0300
Subject: [PATCH] Fix

Signed-off-by: v.oleynikov <vasily.oleynikov@flant.com>
---
 .github/workflows/trivy_check.yaml | 31 ++++++++++++++++++++++++++++++
 images/csi-ceph/werf.inc.yaml      |  5 ++++-
 trivy.yaml                         |  2 ++
 3 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/trivy_check.yaml
 create mode 100644 trivy.yaml

diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml
new file mode 100644
index 0000000..77c0e5d
--- /dev/null
+++ b/.github/workflows/trivy_check.yaml
@@ -0,0 +1,31 @@
+name: Trivy check for sub repos
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: Trivy check for sub repos
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Prepare sub repo
+        run: |
+          git clone --depth 1 --branch v3.7.2 ${{ secrets.SOURCE_REPO }}/ceph/ceph-csi.git ./ceph-csi
+#          cp -R ./images/csi-ceph/patches ./ceph-csi
+#          cd ./ceph-csi
+#          for patchfile in ./patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
+#          cd ..
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
diff --git a/images/csi-ceph/werf.inc.yaml b/images/csi-ceph/werf.inc.yaml
index cc0cb57..96c8a0f 100644
--- a/images/csi-ceph/werf.inc.yaml
+++ b/images/csi-ceph/werf.inc.yaml
@@ -1,3 +1,6 @@
+# While changing tag, you MUST change it in .github/workflows/trivy_check.yaml
+{{- $version := "3.7.2" }}
+
 {{- $binaries := "/cephcsi /sbin/mount.ceph /usr/bin/ceph-fuse /bin/mount /bin/umount /sbin/fsck /sbin/modprobe /bin/kmod /usr/bin/rbd /usr/bin/rbd-nbd /sbin/blkid /sbin/mkfs /sbin/mkfs.ext4 /sbin/mkfs.xfs /sbin/blockdev /sbin/dumpe2fs /usr/sbin/xfs_io /usr/sbin/xfs_growfs /sbin/resize2fs" }}
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.io/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 {{- $_ := set . "BASE_SCRATCH"    "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }}
@@ -11,7 +14,7 @@ shell:
   install:
     - mkdir -p /src
     - cd /src
-    - git clone --branch v3.7.2 --depth 1 {{ env "SOURCE_REPO" }}/ceph/ceph-csi.git .
+    - git clone --branch v{{ $version }} --depth 1 {{ env "SOURCE_REPO" }}/ceph/ceph-csi.git .
     - export GOPROXY={{ env "GOPROXY" }}
     - export CGO_ENABLED=1
     - make cephcsi
diff --git a/trivy.yaml b/trivy.yaml
new file mode 100644
index 0000000..75925af
--- /dev/null
+++ b/trivy.yaml
@@ -0,0 +1,2 @@
+format: table
+exit-code: 1