github/kairos
7
0
Fork 0
mirror of https://github.com/kairos-io/kairos.git synced 2025-02-09 05:18:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cache trivy (#2910)

Browse Source 
* Cache trivy

Fixes https://github.com/kairos-io/kairos/issues/2904

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

* Cache trivy in more pipelines

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

* Populate trivy cache

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

* Create the trivy cache dir if it wasn't created

because if there is no cache to restore, the directory doesn't get
created

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

* Try to gate all jobs with trivy cache job

to avoid failing later. Also, since jobs run in parallel, they may start
populating the cache at the same time which will result in multiple
requests for the trivy database, making the caching mechanism useless.
Doing it once before everything should solve this.

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

---------

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis 2024-10-03 10:03:24 +03:00 committed by GitHub
parent f55def8ba7
commit 7cf21770e6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 188 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
.github/workflows/image-pr.yaml vendored
View File

@ -12,9 +12,31 @@ env:
FORCE_COLOR: 1 FORCE_COLOR: 1
EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }} EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }}
jobs: jobs:
# Populate the trivy cache once for all later jobs to use
trivy-cache:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
core-ubuntu-22-lts: core-ubuntu-22-lts:
uses: ./.github/workflows/reusable-build-flavor.yaml uses: ./.github/workflows/reusable-build-flavor.yaml
secrets: inherit secrets: inherit
needs:
- trivy-cache
permissions: permissions:
contents: write contents: write
security-events: write security-events: write
@ -42,6 +64,8 @@ jobs:
core-ubuntu-24-lts: core-ubuntu-24-lts:
uses: ./.github/workflows/reusable-build-flavor.yaml uses: ./.github/workflows/reusable-build-flavor.yaml
secrets: inherit secrets: inherit
needs:
- trivy-cache
permissions: permissions:
contents: write contents: write
security-events: write security-events: write
@ -69,6 +93,8 @@ jobs:
core-alpine: core-alpine:
uses: ./.github/workflows/reusable-build-flavor.yaml uses: ./.github/workflows/reusable-build-flavor.yaml
secrets: inherit secrets: inherit
needs:
- trivy-cache
permissions: permissions:
contents: write contents: write
security-events: write security-events: write
@ -96,6 +122,8 @@ jobs:
standard: standard:
uses: ./.github/workflows/reusable-build-provider.yaml uses: ./.github/workflows/reusable-build-provider.yaml
secrets: inherit secrets: inherit
needs:
- trivy-cache
permissions: permissions:
id-token: write # OIDC support id-token: write # OIDC support
contents: write contents: write
@ -128,6 +156,7 @@ jobs:
flavor_release: "24.04" flavor_release: "24.04"
secureboot: false secureboot: false
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
install-target: install-target:
@ -138,6 +167,7 @@ jobs:
flavor_release: "24.04" flavor_release: "24.04"
secureboot: false secureboot: false
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
install-secureboot: install-secureboot:
@ -148,6 +178,7 @@ jobs:
flavor_release: "24.04" flavor_release: "24.04"
secureboot: true secureboot: true
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
install-alpine: install-alpine:
@ -157,6 +188,7 @@ jobs:
flavor: alpine flavor: alpine
flavor_release: "3.19" flavor_release: "3.19"
needs: needs:
- trivy-cache
- core-alpine - core-alpine
zfs: zfs:
@ -166,6 +198,7 @@ jobs:
flavor: ubuntu flavor: ubuntu
flavor_release: "22.04" flavor_release: "22.04"
needs: needs:
- trivy-cache
- core-ubuntu-22-lts - core-ubuntu-22-lts
acceptance: acceptance:
@ -175,6 +208,7 @@ jobs:
flavor: ubuntu flavor: ubuntu
flavor_release: "24.04" flavor_release: "24.04"
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
acceptance-alpine: acceptance-alpine:
@ -184,6 +218,7 @@ jobs:
flavor: alpine flavor: alpine
flavor_release: "3.19" flavor_release: "3.19"
needs: needs:
- trivy-cache
- core-alpine - core-alpine
bundles: bundles:
@ -193,6 +228,7 @@ jobs:
flavor: ubuntu flavor: ubuntu
flavor_release: "24.04" flavor_release: "24.04"
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
reset: reset:
@ -202,6 +238,7 @@ jobs:
flavor: ubuntu flavor: ubuntu
flavor_release: "24.04" flavor_release: "24.04"
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
reset-alpine: reset-alpine:
@ -211,6 +248,7 @@ jobs:
flavor: alpine flavor: alpine
flavor_release: "3.19" flavor_release: "3.19"
needs: needs:
- trivy-cache
- core-alpine - core-alpine
netboot: netboot:
@ -224,6 +262,7 @@ jobs:
model: generic model: generic
variant: core variant: core
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
netboot-alpine: netboot-alpine:
@ -237,6 +276,7 @@ jobs:
model: generic model: generic
variant: core variant: core
needs: needs:
- trivy-cache
- core-alpine - core-alpine
upgrade: upgrade:
@ -246,6 +286,7 @@ jobs:
flavor: ubuntu flavor: ubuntu
flavor_release: "24.04" flavor_release: "24.04"
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
upgrade-alpine: upgrade-alpine:
@ -255,6 +296,7 @@ jobs:
flavor: alpine flavor: alpine
flavor_release: "3.19" flavor_release: "3.19"
needs: needs:
- trivy-cache
- core-alpine - core-alpine
upgrade-latest: upgrade-latest:
@ -266,6 +308,7 @@ jobs:
family: "ubuntu" family: "ubuntu"
# release_matcher: "23.10" # introduced so tests can be green while we wait for the kairos release with the latest flavor release # release_matcher: "23.10" # introduced so tests can be green while we wait for the kairos release with the latest flavor release
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
# enable once the first alpine only release is out as it currently cannot find the latest alpine release properly # enable once the first alpine only release is out as it currently cannot find the latest alpine release properly
@ -275,6 +318,7 @@ jobs:
# flavor: alpine # flavor: alpine
# flavor_release: "3.19" # flavor_release: "3.19"
# needs: # needs:
# - trivy-cache
# - core-alpine # - core-alpine
custom-partitioning: custom-partitioning:
@ -299,6 +343,7 @@ jobs:
flavor: ${{ matrix.flavor }} flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }} flavor_release: ${{ matrix.flavorRelease }}
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
strategy: strategy:
fail-fast: true fail-fast: true
@ -315,6 +360,7 @@ jobs:
flavor_release: "24.04" flavor_release: "24.04"
label: ${{ matrix.label }} label: ${{ matrix.label }}
needs: needs:
- trivy-cache
- core-ubuntu-24-lts - core-ubuntu-24-lts
strategy: strategy:
fail-fast: true fail-fast: true
@ -334,6 +380,7 @@ jobs:
flavor_release: "3.19" flavor_release: "3.19"
label: ${{ matrix.label }} label: ${{ matrix.label }}
needs: needs:
- trivy-cache
- core-alpine - core-alpine
strategy: strategy:
fail-fast: true fail-fast: true

41
.github/workflows/release-arm.yaml vendored
View File

@ -77,6 +77,27 @@ jobs:
# end of optional handling for multi line json # end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }" echo "::set-output name=matrix::{\"include\": $content }"
# Populate the trivy cache once for all later jobs to use
trivy-cache:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
build-nvidia-base: build-nvidia-base:
runs-on: ARM64 runs-on: ARM64
steps: steps:
@ -173,6 +194,7 @@ jobs:
build-arm-core: build-arm-core:
runs-on: ${{ matrix.worker }} runs-on: ${{ matrix.worker }}
needs: needs:
- trivy-cache
- get-core-matrix - get-core-matrix
permissions: permissions:
id-token: write # OIDC support id-token: write # OIDC support
@ -247,10 +269,19 @@ jobs:
registry: quay.io registry: quay.io
username: ${{ secrets.QUAY_USERNAME }} username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }} password: ${{ secrets.QUAY_PASSWORD }}
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
- name: Build 🔧 - name: Build 🔧
run: | run: |
earthly -P +all-arm \ earthly -P +all-arm \
-VARIANT=core \ -VARIANT=core \
--TRIVY_CACHE_DIR=.trivy \
-MODEL=${{ matrix.model }} \ -MODEL=${{ matrix.model }} \
-FLAVOR=${{ matrix.flavor }} \ -FLAVOR=${{ matrix.flavor }} \
-FLAVOR_RELEASE=${{ matrix.flavorRelease }} \ -FLAVOR_RELEASE=${{ matrix.flavorRelease }} \
@ -315,6 +346,7 @@ jobs:
build-arm-standard: build-arm-standard:
runs-on: ARM64 runs-on: ARM64
needs: needs:
- trivy-cache
- get-standard-matrix - get-standard-matrix
permissions: permissions:
id-token: write # OIDC support id-token: write # OIDC support
@ -359,10 +391,19 @@ jobs:
registry: quay.io registry: quay.io
username: ${{ secrets.QUAY_USERNAME }} username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }} password: ${{ secrets.QUAY_PASSWORD }}
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
- name: Build 🔧 - name: Build 🔧
run: | run: |
earthly -P +all-arm \ earthly -P +all-arm \
-VARIANT=standard \ -VARIANT=standard \
--TRIVY_CACHE_DIR=.trivy \
-MODEL=${{ matrix.model }} \ -MODEL=${{ matrix.model }} \
-K3S_VERSION=${{ matrix.k3s_version }} \ -K3S_VERSION=${{ matrix.k3s_version }} \
-FLAVOR=${{ matrix.flavor }} \ -FLAVOR=${{ matrix.flavor }} \

46
.github/workflows/release.yaml vendored
View File

@ -93,11 +93,31 @@ jobs:
# end of optional handling for multi line json # end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }" echo "::set-output name=matrix::{\"include\": $content }"
# Populate the trivy cache once for all later jobs to use
trivy-cache:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
build-core: build-core:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: needs:
- get-core-matrix - trivy-cache
- get-core-matrix
permissions: permissions:
id-token: write # OIDC support id-token: write # OIDC support
contents: write contents: write
@ -161,9 +181,18 @@ jobs:
with: with:
repository: quay.io/kairos/packages repository: quay.io/kairos/packages
packages: utils/earthly packages: utils/earthly
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
- name: Build 🔧 - name: Build 🔧
run: | run: |
earthly +all \ earthly +all \
--TRIVY_CACHE_DIR=.trivy \
--VARIANT=${{ matrix.variant }} \ --VARIANT=${{ matrix.variant }} \
--FAMILY=${{ matrix.family }} \ --FAMILY=${{ matrix.family }} \
--FLAVOR=${{ matrix.flavor }} \ --FLAVOR=${{ matrix.flavor }} \
@ -232,6 +261,7 @@ jobs:
actions: read actions: read
security-events: write security-events: write
needs: needs:
- trivy-cache
- get-uki-matrix - get-uki-matrix
strategy: strategy:
matrix: ${{ fromJson(needs.get-uki-matrix.outputs.matrix) }} matrix: ${{ fromJson(needs.get-uki-matrix.outputs.matrix) }}
@ -345,7 +375,8 @@ jobs:
build-standard: build-standard:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: needs:
- get-standard-matrix - trivy-cache
- get-standard-matrix
permissions: permissions:
id-token: write # OIDC support id-token: write # OIDC support
contents: write contents: write
@ -407,9 +438,18 @@ jobs:
packages: utils/earthly packages: utils/earthly
- name: Login to Quay Registry - name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
- name: Build 🔧 - name: Build 🔧
run: | run: |
earthly +all \ earthly +all \
--TRIVY_CACHE_DIR=.trivy \
--VARIANT=${{ matrix.variant }} \ --VARIANT=${{ matrix.variant }} \
--FAMILY=${{ matrix.family }} \ --FAMILY=${{ matrix.family }} \
--FLAVOR=${{ matrix.flavor }} \ --FLAVOR=${{ matrix.flavor }} \

9
.github/workflows/reusable-build-flavor.yaml vendored
View File

@ -106,6 +106,14 @@ jobs:
- name: Login to earthly - name: Login to earthly
run: | run: |
earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
- name: Build PR 🔧 - name: Build PR 🔧
if: ${{ github.event_name == 'pull_request' }} if: ${{ github.event_name == 'pull_request' }}
run: | run: |
@ -129,6 +137,7 @@ jobs:
run: | run: |
earthly --platform=linux/${{ inputs.arch }} +ci \ earthly --platform=linux/${{ inputs.arch }} +ci \
--SECURITY_SCANS=true \ --SECURITY_SCANS=true \
--TRIVY_CACHE_DIR=.trivy \
--VARIANT=${{ inputs.variant }} \ --VARIANT=${{ inputs.variant }} \
--FLAVOR=${{ inputs.flavor }} \ --FLAVOR=${{ inputs.flavor }} \
--FLAVOR_RELEASE=${{ inputs.flavor_release }} \ --FLAVOR_RELEASE=${{ inputs.flavor_release }} \

9
.github/workflows/reusable-build-provider.yaml vendored
View File

@ -90,6 +90,14 @@ jobs:
- name: Login to earthly - name: Login to earthly
run: | run: |
earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
- name: Build PR 🔧 - name: Build PR 🔧
if: ${{ github.event_name == 'pull_request' }} if: ${{ github.event_name == 'pull_request' }}
run: | run: |
@ -120,6 +128,7 @@ jobs:
INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd") INIT=$([[ "${{ inputs.flavor }}" == "alpine" ]] && echo "openrc" || echo "systemd")
K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"') K3S_VERSION=$(sudo luet --config framework-profile.yaml search -o json k8s/k3s | jq --arg INIT "$INIT" '.packages | map(select(.name == "k3s-" + $INIT)) | map(.version) | unique | last' | tr -d '"')
earthly --platform=linux/${{ inputs.arch }} +ci \ earthly --platform=linux/${{ inputs.arch }} +ci \
--TRIVY_CACHE_DIR=.trivy \
--SECURITY_SCANS=true \ --SECURITY_SCANS=true \
--VARIANT=${{ inputs.variant }} \ --VARIANT=${{ inputs.variant }} \
--FLAVOR=${{ inputs.flavor }} \ --FLAVOR=${{ inputs.flavor }} \

9
.github/workflows/reusable-docker-arm-build.yaml vendored
View File

@ -131,9 +131,18 @@ jobs:
- name: Login to earthly - name: Login to earthly
run: | run: |
earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
- name: Build 🔧 - name: Build 🔧
run: | run: |
earthly -P +all-arm \ earthly -P +all-arm \
--TRIVY_CACHE_DIR=.trivy \
--VARIANT=core \ --VARIANT=core \
--MODEL=${{ inputs.model }} \ --MODEL=${{ inputs.model }} \
--FLAVOR=${{ inputs.flavor }} \ --FLAVOR=${{ inputs.flavor }} \

1
.gitignore vendored
View File

@ -5,6 +5,7 @@
/kairos /kairos
/dist /dist
/build /build
/trivy-cache
coverage.out coverage.out
.DS_Store .DS_Store
internal/webui/public/cypress/videos/ internal/webui/public/cypress/videos/

38
Earthfile
View File

@ -37,10 +37,12 @@ all:
ARG --required MODEL ARG --required MODEL
ARG --required BASE_IMAGE # BASE_IMAGE is the image to apply the strategy (aka FLAVOR) on. E.g. ubuntu:20.04 ARG --required BASE_IMAGE # BASE_IMAGE is the image to apply the strategy (aka FLAVOR) on. E.g. ubuntu:20.04
ARG TRIVY_CACHE_DIR
BUILD +base-image BUILD +base-image
IF [ "$SECURITY_SCANS" = "true" ] IF [ "$SECURITY_SCANS" = "true" ]
BUILD +image-sbom BUILD +image-sbom
BUILD +trivy-scan BUILD +trivy-scan --CACHEDIR=$TRIVY_CACHE_DIR
BUILD +grype-scan BUILD +grype-scan
END END
BUILD +iso BUILD +iso
@ -59,10 +61,12 @@ ci:
ARG --required VARIANT ARG --required VARIANT
ARG --required FAMILY ARG --required FAMILY
ARG TRIVY_CACHE_DIR
BUILD +base-image BUILD +base-image
IF [ "$SECURITY_SCANS" = "true" ] IF [ "$SECURITY_SCANS" = "true" ]
BUILD +image-sbom BUILD +image-sbom
BUILD +trivy-scan BUILD +trivy-scan --CACHEDIR=$TRIVY_CACHE_DIR
BUILD +grype-scan BUILD +grype-scan
END END
BUILD +iso BUILD +iso
@ -77,11 +81,12 @@ all-arm:
ARG COMPRESS_IMG=true ARG COMPRESS_IMG=true
ARG SECURITY_SCANS=true ARG SECURITY_SCANS=true
ARG TRIVY_CACHE_DIR
BUILD --platform=linux/arm64 +base-image BUILD --platform=linux/arm64 +base-image
IF [ "$SECURITY_SCANS" = "true" ] IF [ "$SECURITY_SCANS" = "true" ]
BUILD --platform=linux/arm64 +image-sbom BUILD --platform=linux/arm64 +image-sbom
BUILD --platform=linux/arm64 +trivy-scan BUILD --platform=linux/arm64 +trivy-scan --CACHEDIR=$TRIVY_CACHE_DIR
BUILD --platform=linux/arm64 +grype-scan BUILD --platform=linux/arm64 +grype-scan
END END
@ -762,30 +767,45 @@ datasource-iso:
RUN mkisofs -output ci.iso -volid cidata -joliet -rock user-data meta-data RUN mkisofs -output ci.iso -volid cidata -joliet -rock user-data meta-data
SAVE ARTIFACT /build/ci.iso iso.iso AS LOCAL build/datasource.iso SAVE ARTIFACT /build/ci.iso iso.iso AS LOCAL build/datasource.iso
### trivy-download-db:
### Security target scan ARG TRIVY_VERSION
### ARG DIR=trivy-cache
FROM aquasec/trivy:$TRIVY_VERSION
COPY $DIR /trivy-cache
RUN /usr/local/bin/trivy --cache-dir /trivy-cache fs --download-db-only
SAVE ARTIFACT /trivy-cache AS LOCAL $DIR
trivy: trivy:
ARG TRIVY_VERSION ARG TRIVY_VERSION
FROM aquasec/trivy:$TRIVY_VERSION FROM aquasec/trivy:$TRIVY_VERSION
SAVE ARTIFACT /contrib contrib SAVE ARTIFACT /contrib contrib
SAVE ARTIFACT /usr/local/bin/trivy /trivy SAVE ARTIFACT /usr/local/bin/trivy /trivy
###
### Security target scan
###
trivy-scan: trivy-scan:
ARG TARGETARCH ARG TARGETARCH
ARG CACHEDIR
# Use base-image so it can read original os-release file # Use base-image so it can read original os-release file
FROM +base-image FROM +base-image
ARG ISO_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//') ARG ISO_NAME=$(cat /etc/os-release | grep 'KAIROS_ARTIFACT' | sed 's/KAIROS_ARTIFACT=\"//' | sed 's/\"//')
ENV TRIVY_CACHE=/trivy-cache
IF [ -n "$CACHEDIR" ]
COPY $CACHEDIR $TRIVY_CACHE
END
COPY +trivy/trivy /trivy COPY +trivy/trivy /trivy
COPY +trivy/contrib /contrib COPY +trivy/contrib /contrib
WORKDIR /build WORKDIR /build
RUN /trivy filesystem --skip-dirs /tmp --timeout 30m --format sarif -o report.sarif --no-progress / RUN /trivy --cache-dir "${TRIVY_CACHE}" filesystem --skip-dirs /tmp --timeout 30m --format sarif -o report.sarif --no-progress /
RUN /trivy filesystem --skip-dirs /tmp --timeout 30m --format template --template "@/contrib/html.tpl" -o report.html --no-progress / RUN /trivy --cache-dir "${TRIVY_CACHE}" filesystem --skip-dirs /tmp --timeout 30m --format template --template "@/contrib/html.tpl" -o report.html --no-progress /
RUN /trivy filesystem --skip-dirs /tmp --timeout 30m -f json -o results.json --no-progress / RUN /trivy --cache-dir "${TRIVY_CACHE}" filesystem --skip-dirs /tmp --timeout 30m -f json -o results.json --no-progress /
SAVE ARTIFACT /build/report.sarif report.sarif AS LOCAL build/${ISO_NAME}-trivy.sarif SAVE ARTIFACT /build/report.sarif report.sarif AS LOCAL build/${ISO_NAME}-trivy.sarif
SAVE ARTIFACT /build/report.html report.html AS LOCAL build/${ISO_NAME}-trivy.html SAVE ARTIFACT /build/report.html report.html AS LOCAL build/${ISO_NAME}-trivy.html
SAVE ARTIFACT /build/results.json results.json AS LOCAL build/${ISO_NAME}-trivy.json SAVE ARTIFACT /build/results.json results.json AS LOCAL build/${ISO_NAME}-trivy.json