From 465c68b251b2801c5301d80e1ee59110c79af335 Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Tue, 29 Oct 2024 11:32:45 +0200 Subject: [PATCH] fix(trivy): fixes to trivy config syntax --- .github/workflows/build-images-from-branch.yml | 11 ++++++++++- trivy.yaml | 7 ++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-images-from-branch.yml b/.github/workflows/build-images-from-branch.yml index 23c0f11052..f9051506d0 100644 --- a/.github/workflows/build-images-from-branch.yml +++ b/.github/workflows/build-images-from-branch.yml @@ -33,12 +33,20 @@ jobs: ref: '${{ github.event.inputs.branch_name }}' - uses: actions/checkout@v4 - if: github.event_name == 'push' || github.event_name == 'pull_request' + if: github.event_name == 'push' + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/checkout@v4 + if: github.event_name == 'pull_request' + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set version and branch id: set-version-and-branch run: | export VERSION=`git log -1 --pretty=format:%h` + echo "Pushing version $VERSION" echo "version=$VERSION" >> $GITHUB_OUTPUT if [ "${{ github.event_name }}" == 'push' ]; then BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}} @@ -48,6 +56,7 @@ jobs: BRANCH=${{ inputs.branch_name }} fi ESCAPED_BRANCH=$(echo $BRANCH | sed 's/[^a-zA-Z0-9_.-]/-/g') + echo "from branch $BRANCH" echo "branch=$ESCAPED_BRANCH" >> $GITHUB_OUTPUT - name: Get list of services diff --git a/trivy.yaml b/trivy.yaml index a8a931e1fb..595244a472 100644 --- a/trivy.yaml +++ b/trivy.yaml @@ -20,6 +20,8 @@ scan: - sequence-diagrams - usr/local/share/.cache/yarn/v6/ - home/node/.cache/yarn/v6 + skip-files: + - '**/*.dockerignore' scanners: - vuln - misconfig @@ -28,8 +30,7 @@ vulnerability: ignore-unfixed: true db: repository: 'ghcr.io/opencrvs/trivy-db' -java: - db: - repository: 'ghcr.io/opencrvs/trivy-java-db' + java-repository: 'ghcr.io/opencrvs/trivy-java-db' + policies-bundle: repository: 'ghcr.io/opencrvs/trivy-checks'