From 2646a61ba5db87741bb6613e2705e1eb113fc153 Mon Sep 17 00:00:00 2001 From: Adam Connelly Date: Tue, 22 Oct 2024 15:52:43 +0100 Subject: [PATCH] ci: add Trivy fallback DB repositories and fix failing Azure builds * ci: add Trivy fallback DB repositories Just adding these now to try to avoid people hitting the Trivy rate limiting issues later. * ci: use latest Alpine Azure CLI image Our Azure CLI versions of the runner image are failing to build currently. It looks like the problem is that Microsoft switched from Alpine to cbl-mariner after v2.63.0. For now I'm pinning to that version since our build process expects Alpine. --- .github/workflows/trivy.yml | 4 +++- docker-bake.hcl | 3 +-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 9558f72..d12b07f 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -46,13 +46,15 @@ jobs: ${{ matrix.target }}.platform=${{ matrix.platform }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.27.0 with: image-ref: ${{ env.IMAGE_TAG }} format: "sarif" output: "trivy-results.sarif" severity: "CRITICAL,HIGH" timeout: "10m" + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 diff --git a/docker-bake.hcl b/docker-bake.hcl index 563d470..0c7902d 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -13,6 +13,5 @@ target "gcp" { target "azure" { target = "azure" platforms = ["linux/amd64", "linux/arm64"] - args = {"BASE_IMAGE": "mcr.microsoft.com/azure-cli:latest"} + args = {"BASE_IMAGE": "mcr.microsoft.com/azure-cli:2.63.0"} } -