From 2fcbba977cc174df9403d7b894bb7aa75c00386c Mon Sep 17 00:00:00 2001 From: Polina Sizintseva Date: Tue, 14 Apr 2026 21:51:54 +0300 Subject: [PATCH] chore: move cve scan v11 secrets to seguro --- .github/workflows/build_dev.yml | 21 ++----- .github/workflows/cve_scan_daily.yml | 32 ++--------- .github/workflows/cve_scan_reusable.yml | 76 +++++++++++++++++++++++++ 3 files changed, 86 insertions(+), 43 deletions(-) create mode 100644 .github/workflows/cve_scan_reusable.yml diff --git a/.github/workflows/build_dev.yml b/.github/workflows/build_dev.yml index 87298a2..87859d1 100644 --- a/.github/workflows/build_dev.yml +++ b/.github/workflows/build_dev.yml @@ -172,25 +172,12 @@ jobs: cve_scan_on_pr: name: Trivy images check - runs-on: [self-hosted, large] needs: - build_dev - steps: - - uses: actions/checkout@v4 - - uses: deckhouse/modules-actions/cve_scan@v6 - with: - tag: ${{needs.build_dev.outputs.modules_module_tag}} - tag_type: dev - module_name: ${{ vars.MODULES_MODULE_NAME }} - dd_url: ${{ vars.DEFECTDOJO_HOST }} - dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }} - prod_registry: ${{ vars.TRIVY_REGISTRY }} - prod_registry_user: ${{ secrets.PROD_READ_REGISTRY_USER }} - prod_registry_password: ${{ secrets.PROD_READ_REGISTRY_PASSWORD }} - dev_registry: ${{ vars.DEV_REGISTRY }} - dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }} + uses: ./.github/workflows/cve_scan_reusable.yml + with: + source_tag: ${{ needs.build_dev.outputs.modules_module_tag }} + external_module_name: ${{ vars.MODULES_MODULE_NAME }} e2e_tests: name: Run e2e tests diff --git a/.github/workflows/cve_scan_daily.yml b/.github/workflows/cve_scan_daily.yml index 24efa13..e95d240 100644 --- a/.github/workflows/cve_scan_daily.yml +++ b/.github/workflows/cve_scan_daily.yml @@ -19,15 +19,8 @@ on: - cron: "0 02 * * *" workflow_dispatch: inputs: - tag_type: - type: choice - description: Tag type - required: false - options: - - release - - dev tag_name: - description: "release version in semver minor format (example: 1.68) or specified tag from dev registry" + description: "Tag from dev registry to scan manually; defaults to main" required: false concurrency: @@ -36,21 +29,8 @@ concurrency: jobs: cve_scan_daily: name: Trivy images check - runs-on: [self-hosted, large] - steps: - - uses: actions/checkout@v4 - - uses: deckhouse/modules-actions/cve_scan@v6 - with: - tag: ${{ github.event.inputs.tag_name || 'main' }} - tag_type: ${{ github.event.inputs.tag_type }} - module_name: ${{ vars.MODULES_MODULE_NAME }} - dd_url: ${{ vars.DEFECTDOJO_HOST }} - dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }} - prod_registry: ${{ vars.TRIVY_REGISTRY }} - prod_registry_user: ${{ secrets.PROD_READ_REGISTRY_USER }} - prod_registry_password: ${{ secrets.PROD_READ_REGISTRY_PASSWORD }} - dev_registry: ${{ vars.DEV_REGISTRY }} - dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }} - latest_releases_amount: 5 + uses: ./.github/workflows/cve_scan_reusable.yml + with: + source_tag: ${{ github.event.inputs.tag_name || 'main' }} + external_module_name: ${{ vars.MODULES_MODULE_NAME }} + latest_releases_amount: "5" diff --git a/.github/workflows/cve_scan_reusable.yml b/.github/workflows/cve_scan_reusable.yml new file mode 100644 index 0000000..7b69336 --- /dev/null +++ b/.github/workflows/cve_scan_reusable.yml @@ -0,0 +1,76 @@ +name: Reusable CVE scan + +on: + workflow_call: + inputs: + source_tag: + description: Tag to scan + required: true + type: string + external_module_name: + description: External module name + required: true + type: string + latest_releases_amount: + description: Number of latest releases to scan when action needs it + required: false + default: "5" + type: string + release_in_dev: + description: If true, release-like tags are searched in dev registry instead of prod + required: false + default: "true" + type: string + +jobs: + cve_scan: + name: Trivy images check + runs-on: [self-hosted, large] + permissions: + contents: read + id-token: write + steps: + - uses: actions/checkout@v4 + + - name: Import CVE secrets from Seguro + id: secrets + uses: hashicorp/vault-action@v2 + with: + url: https://seguro.flant.com + path: github + role: operator-helm + method: jwt + jwtGithubAudience: github-access-aud + secrets: | + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_URL | DD_URL ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_TOKEN | DD_TOKEN ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets PROD_READ_REGISTRY | PROD_READ_REGISTRY ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets PROD_READ_REGISTRY_USER | PROD_READ_REGISTRY_USER ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets PROD_READ_REGISTRY_PASSWORD | PROD_READ_REGISTRY_PASSWORD ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_DEV_REGISTRY_HOST | DECKHOUSE_DEV_REGISTRY_HOST ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DEV_REGISTRY_USER | DEV_REGISTRY_USER ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DEV_REGISTRY_PASSWORD | DEV_REGISTRY_PASSWORD ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_PRIVATE_REPO | DECKHOUSE_PRIVATE_REPO ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CODEOWNERS_REPO_TOKEN | CODEOWNERS_REPO_TOKEN ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_REPO_GIT | CVE_TEST_REPO_GIT ; + projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_SSH_PRIVATE_KEY | CVE_TEST_SSH_PRIVATE_KEY ; + + - uses: deckhouse/modules-actions/cve_scan@v11 + with: + source_tag: ${{ inputs.source_tag }} + case: "External Modules" + external_module_name: ${{ inputs.external_module_name }} + dd_url: ${{ steps.secrets.outputs.DD_URL }} + dd_token: ${{ steps.secrets.outputs.DD_TOKEN }} + prod_registry: ${{ steps.secrets.outputs.PROD_READ_REGISTRY }} + prod_registry_user: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_USER }} + prod_registry_password: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_PASSWORD }} + dev_registry: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }} + dev_registry_user: ${{ steps.secrets.outputs.DEV_REGISTRY_USER }} + dev_registry_password: ${{ steps.secrets.outputs.DEV_REGISTRY_PASSWORD }} + deckhouse_private_repo: ${{ steps.secrets.outputs.DECKHOUSE_PRIVATE_REPO }} + codeowners_repo_token: ${{ steps.secrets.outputs.CODEOWNERS_REPO_TOKEN }} + cve_test_repo_git: ${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }} + cve_ssh_private_key: ${{ steps.secrets.outputs.CVE_TEST_SSH_PRIVATE_KEY }} + release_in_dev: ${{ inputs.release_in_dev }} + latest_releases_amount: ${{ inputs.latest_releases_amount }}