Skip to content
Trivy check for sub repos

Adjust webhook for handling NFSv3 #200

Sign in to view logs

Adjust webhook for handling NFSv3

Adjust webhook for handling NFSv3 #200

Workflow file for this run

.github/workflows/trivy_check.yaml at 14f3c56
name: Trivy check for sub repos
on:
pull_request:
push:
branches:
- main
jobs:
test:
name: Trivy check for sub repos
runs-on: [self-hosted, regular]
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Check and Install Latest Trivy
run: |
mkdir -p $HOME/bin
LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
CLEAN_VERSION=${LATEST_VERSION#v}
INSTALL_TRIVY=true
if [[ -f "$HOME/bin/trivy" ]]; then
INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
INSTALL_TRIVY=false
else
echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
fi
else
echo "Trivy is not installed. Installing version $CLEAN_VERSION."
fi
if [ "$INSTALL_TRIVY" = true ]; then
wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
tar zxvf trivy.tar.gz -C $HOME/bin
fi
echo "$HOME/bin" >> $GITHUB_PATH
- name: Prepare sub repo
run: |
version=v`grep "version :=" images/csi-nfs/werf.inc.yaml | awk -F'"' '{ print $2}'`
git clone --depth 1 --branch $version ${{ secrets.SOURCE_REPO }}/kubernetes-csi/csi-driver-nfs.git ./csi-driver-nfs
cp -R ./images/csi-nfs/patches ./csi-driver-nfs
cd ./csi-driver-nfs
for patchfile in ./patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
cd ..
- name: Run Trivy vulnerability scanner in fs mode
run: |
trivy fs . --quiet --config trivy.yaml