Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRE-2505 ci: Fix Trivy scan upload to the Security tab #15201

Merged
merged 15 commits into from
Nov 5, 2024
Merged

SRE-2505 ci: Fix Trivy scan upload to the Security tab #15201

merged 15 commits into from
Nov 5, 2024

Commits on Sep 26, 2024

  1. Limit scope of changes that are monitored by Trivy scan 

    Do not start Trivy scan if changes not related to dependencies.
Run Trivy on daily bases.
Add badge to follow cycle Trivy scans
Enable scans on request

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Sep 26, 2024
    Configuration menu
    Copy the full SHA
    766d9e1 View commit details
    Browse the repository at this point in the history

Commits on Oct 9, 2024

  1. Fix SPDX license header 

    Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 9, 2024
    Configuration menu
    Copy the full SHA
    c029a80 View commit details
    Browse the repository at this point in the history

Commits on Oct 10, 2024

  1. fix: restore unnecessary cache backend 

    Doc-only: true
Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 10, 2024
    Configuration menu
    Copy the full SHA
    3f4c483 View commit details
    Browse the repository at this point in the history

Commits on Oct 15, 2024

  1. Merge remote-tracking branch 'origin/master' into grom72/SRE-2505-trivy 

    Doc-only: true

Required-githooks: true
Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 15, 2024
    Configuration menu
    Copy the full SHA
    f71df83 View commit details
    Browse the repository at this point in the history

Commits on Oct 21, 2024

  1. Fix: addjust monitored files list. 

    https://aquasecurity.github.io/trivy/v0.56/docs/coverage/language/#supported-languages
provides the full list of scanned file in the 'filesystem' scan.

Keep the same condition for PR and merge trigger.

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    7406a75 View commit details
    Browse the repository at this point in the history

  2. Fix: documentation 

    Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    d7c35a2 View commit details
    Browse the repository at this point in the history

Commits on Oct 22, 2024

  1. Fix: simplify triggering rules 

    Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 22, 2024
    Configuration menu
    Copy the full SHA
    1d52932 View commit details
    Browse the repository at this point in the history

Commits on Oct 24, 2024

  1. SRE-2505 ci: Fix Trivy scan upload to the Security tab 

    Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 24, 2024
    Configuration menu
    Copy the full SHA
    c4fa939 View commit details
    Browse the repository at this point in the history

Commits on Oct 28, 2024

  1. SRE-2505 ci: Trivy scans tuning 

    - Use GHA cache to avoid Trivy scan failure
Trivy CVEs database downloads fails often.
The most promissing solution is to use cache and download the
database once a day.
CVEs database is cached during daily build (`schedule`).
Cache is not used if `master` branch cache is not available.
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch

- Avoid Trivy scanners re-initialization
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#skipping-setup-when-calling-trivy-action-multiple-times
The latest available version of `aquasecurity/trivy-action`
is used to be able to use `skip-setup-trivy` parameter.

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 28, 2024
    Configuration menu
    Copy the full SHA
    184fabd View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'origin/master' into grom72/SRE-2505-trivy 

    Doc-only: true
Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 28, 2024
    Configuration menu
    Copy the full SHA
    be4449d View commit details
    Browse the repository at this point in the history

  3. SRE-2505 ci: Trivy scans optimization 

    - Use GHA cache to avoid Trivy scan failure
Trivy CVEs database downloads fails often.
The most promissing solution is to use cache and download the
database once a day.
CVEs database is cached during daily build (`schedule`).
Cache is not used if `master` branch cache is not available.
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch

- Avoid Trivy scanners re-initialization
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#skipping-setup-when-calling-trivy-action-multiple-times
The latest available version of `aquasecurity/trivy-action`
is used to be able to use `skip-setup-trivy` parameter.

Doc-only: true

Required-githooks: true
Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 28, 2024
    Configuration menu
    Copy the full SHA
    b68ecaa View commit details
    Browse the repository at this point in the history

Commits on Oct 29, 2024

  1. common: update workflow documentation 

    Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 29, 2024
    Configuration menu
    Copy the full SHA
    827c067 View commit details
    Browse the repository at this point in the history

Commits on Oct 30, 2024

  1. Make the solution more reliable and more simple 

    Use external caching mechanism to ensure PR scan not failing.

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 30, 2024
    Configuration menu
    Copy the full SHA
    c9e4e5c View commit details
    Browse the repository at this point in the history

  2. common: simplified workflow with cache enabled 

    Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 30, 2024
    Configuration menu
    Copy the full SHA
    ecab684 View commit details
    Browse the repository at this point in the history

  3. common: enable Trivy debug 

    Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
    @grom72
    grom72 committed Oct 30, 2024
    Configuration menu
    Copy the full SHA
    78a59e3 View commit details
    Browse the repository at this point in the history