From 7faf8453995b7ead6f69e133169d64800d04ba15 Mon Sep 17 00:00:00 2001 From: "tao.yang" Date: Wed, 13 Nov 2024 21:29:09 +0800 Subject: [PATCH] Fix TOOMANYREQUESTS failure in Trivy Action Signed-off-by: tao.yang --- .github/workflows/build-image-ci.yaml | 4 +-- .github/workflows/trivy-scan-image.yaml | 38 ++++++++++++------------- Makefile | 1 - 3 files changed, 20 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-image-ci.yaml b/.github/workflows/build-image-ci.yaml index a5720c4823..a3424011c9 100644 --- a/.github/workflows/build-image-ci.yaml +++ b/.github/workflows/build-image-ci.yaml @@ -182,7 +182,7 @@ jobs: # docker cache after the workflow "Image CI Cache Cleaner" was terminated. push: ${{ env.push }} platforms: linux/amd64 - outputs: type=tar,dest=/tmp/${{ matrix.name }}-race.tar + outputs: type=docker,dest=/tmp/${{ matrix.name }}-race.tar github-token: ${{ secrets.WELAN_PAT }} tags: | ${{ env.ONLINE_REGISTER }}/${{ github.repository }}/${{ matrix.name }}-ci:${{ env.tag }}-race @@ -231,7 +231,7 @@ jobs: push: ${{ env.push }} platforms: linux/amd64 github-token: ${{ secrets.WELAN_PAT }} - outputs: type=tar,dest=/tmp/${{ matrix.name }}-race.tar + outputs: type=docker,dest=/tmp/${{ matrix.name }}-race.tar tags: | ${{ env.ONLINE_REGISTER }}/${{ github.repository }}/${{ matrix.name }}-ci:${{ env.tag }}-race build-args: | diff --git a/.github/workflows/trivy-scan-image.yaml b/.github/workflows/trivy-scan-image.yaml index 19e9bbdd7f..659a3183b5 100644 --- a/.github/workflows/trivy-scan-image.yaml +++ b/.github/workflows/trivy-scan-image.yaml @@ -34,25 +34,23 @@ jobs: with: name: image-tar-spiderpool-controller path: test/.download + + - name: List downloaded files + run: ls -al test/.download - - name: Load And Scan Images - run: | - TAR_FILES=` ls test/.download ` - echo $TAR_FILES - for ITEM in $TAR_FILES ; do - IMAGE_NAME=${ITEM%*.tar} - echo ${IMAGE_NAME} - cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ inputs.image_tag }} - echo "---------trivy checkout image ${IMAGE_NAME}:${{ inputs.image_tag }} --------------------" - make lint_image_trivy -e IMAGE_NAME=${IMAGE_NAME}:${{ inputs.image_tag }} \ - || { echo "RUN_IMAGE_TRIVY_FAIL=true" >> $GITHUB_ENV ; echo "error, image ${IMAGE_NAME}:${{ inputs.image_tag }} is bad" ; } - done + # https://github.com/aquasecurity/trivy-action/issues/389 + - name: load and scan spiderpool-agent image + uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db + with: + input: test/.download/spiderpool-agent-race.tar + severity: 'CRITICAL,HIGH' - - name: Show Trivy Scan Report - run: | - if [ "${{ env.RUN_IMAGE_TRIVY_FAIL }}" == "true" ] ; then - echo "error, image is not secure, see detail on Step 'Load And Scan Images' " - exit 1 - else - exit 0 - fi + - name: load and scan spiderpool-controller image + uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db + with: + input: test/.download/spiderpool-controller-race.tar + severity: 'CRITICAL,HIGH' diff --git a/Makefile b/Makefile index 7677890d70..2d80b2e872 100644 --- a/Makefile +++ b/Makefile @@ -501,4 +501,3 @@ lint_chart_trivy: .PHONY: build-chart build-chart: @ cd charts ; make -