From b756ab5019d77bba55e6f983eac465130232dfb7 Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Mon, 19 Aug 2024 21:18:54 +0300
Subject: [PATCH] [CI] Add Trivy vulnerables check

Signed-off-by: v.oleynikov <vasily.oleynikov@flant.com>
---
 .github/workflows/trivy_check.yaml       | 31 ++++++++++++++++++++++++
 images/agent/werf.inc.yaml               |  1 +
 images/sds-utils-installer/werf.inc.yaml |  1 +
 3 files changed, 33 insertions(+)
 create mode 100644 .github/workflows/trivy_check.yaml

diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml
new file mode 100644
index 00000000..c239f613
--- /dev/null
+++ b/.github/workflows/trivy_check.yaml
@@ -0,0 +1,31 @@
+name: Trivy check for sub repos
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    name: Trivy check for sub repos
+    runs-on: [self-hosted, regular]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Prepare sub repo
+        run: |
+          git clone --depth 1 --branch v2.39.3 ${{ secrets.SOURCE_REPO }}/util-linux/util-linux.git ./util-linux
+          git clone ${{ secrets.SOURCE_REPO }}/lvmteam/lvm2.git ./lvm2
+          cd ./lvm2
+          git checkout d786a8f820d54ce87a919e6af5426c333c173b11 
+          cd ..
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
diff --git a/images/agent/werf.inc.yaml b/images/agent/werf.inc.yaml
index 8e51c991..44cc859f 100644
--- a/images/agent/werf.inc.yaml
+++ b/images/agent/werf.inc.yaml
@@ -4,6 +4,7 @@
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 
 {{ $binaries := "/opt/deckhouse/sds/lib/libblkid.so.1 /opt/deckhouse/sds/lib/libmount.so.1 /opt/deckhouse/sds/lib/libsmartcols.so.1 /opt/deckhouse/sds/bin/nsenter.static /opt/deckhouse/sds/lib/x86_64-linux-gnu/libudev.so.1 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libcap.so.2 ld-linux-x86-64.so.2 /opt/deckhouse/sds/bin/lsblk.dynamic" }}
+# While changing tag, you MUST change it in .github/workflows/trivy_check.yaml
 {{ $util_linux_version := "2.39.3" }}
 ---
 image: {{ $.ImageName }}-binaries-artifact
diff --git a/images/sds-utils-installer/werf.inc.yaml b/images/sds-utils-installer/werf.inc.yaml
index 9a4da987..05373db8 100644
--- a/images/sds-utils-installer/werf.inc.yaml
+++ b/images/sds-utils-installer/werf.inc.yaml
@@ -4,6 +4,7 @@
 {{- $_ := set . "BASE_ALT_DEV"    "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }}
 
 {{ $binaries := "/sds-utils/bin/lvm.static" }}
+# While changing tag, you MUST change it in .github/workflows/trivy_check.yaml
 {{ $lvm_version := "d786a8f820d54ce87a919e6af5426c333c173b11" }}
 ---
 image: {{ $.ImageName }}-binaries-artifact