Skip to content

chore(ci): add new trivy scan #2157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nevermarine merged 6 commits into from
Mar 26, 2026
Merged

chore(ci): add new trivy scan #2157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7525bde
chore(ci): add new trivy scan
nevermarine Mar 25, 2026
4464fe3
change role
nevermarine Mar 25, 2026
49609dd
set permissions
nevermarine Mar 25, 2026
75e5a31
Revert "change role"
nevermarine Mar 25, 2026
c25c889
change input name
nevermarine Mar 25, 2026
de34e9d
update cve_scan_daily
nevermarine Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 50 additions & 13 deletions .github/workflows/cve_scan_daily.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,22 +35,59 @@ concurrency:

jobs:
cve_scan_daily:
permissions:
contents: read
id-token: write
name: Trivy images check
runs-on: [self-hosted, large]
steps:
- uses: actions/checkout@v4
- uses: deckhouse/modules-actions/cve_scan@v6

- name: Split repository name
id: split
env:
REPO: ${{ github.repository }}
run: echo "name=${REPO##*/}" >> $GITHUB_OUTPUT

- name: Import secrets
id: secrets
uses: hashicorp/vault-action@v2
with:
url: https://seguro.flant.com
path: github
role: "${{ steps.split.outputs.name }}"
method: jwt
jwtGithubAudience: github-access-aud
secrets: |
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_DEV_REGISTRY_HOST | DECKHOUSE_DEV_REGISTRY_HOST ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken login | DECKHOUSE_DEV_REGISTRY_USER ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken password | DECKHOUSE_DEV_REGISTRY_PASSWORD ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_READ_REGISTRY_HOST | PROD_READ_REGISTRY ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license login | PROD_READ_REGISTRY_USER ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license password | PROD_READ_REGISTRY_PASSWORD ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_TOKEN | DD_TOKEN ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_URL | DD_URL ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_SSH_PRIVATE_KEY | CVE_TEST_SSH_PRIVATE_KEY ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_REPO_GIT | CVE_TEST_REPO_GIT ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_PRIVATE_REPO | DECKHOUSE_PRIVATE_REPO ;
projects/data/b050f3bd-733f-4746-9640-9df80d484074/CODEOWNERS_REPO_TOKEN CODEOWNERS_REPO_TOKEN | CODEOWNERS_REPO_TOKEN ;

- uses: deckhouse/modules-actions/cve_scan@v11
with:
tag: ${{ github.event.inputs.tag_name || 'main' }}
tag_type: ${{ github.event.inputs.tag_type }}
module_name: ${{ vars.MODULE_NAME }}
dd_url: ${{vars.DEFECTDOJO_HOST}}
dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}}
prod_registry: ${{vars.TRIVY_REGISTRY}}
prod_registry_user: ${{ secrets.PROD_READ_REGISTRY_USER }}
prod_registry_password: ${{ secrets.PROD_READ_REGISTRY_PASSWORD }}
dev_registry: ${{ vars.DEV_REGISTRY }}
dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
deckhouse_private_repo: ${{vars.DECKHOUSE_PRIVATE_REPO}}
source_tag: ${{ github.event.inputs.tag_name || 'main' }}
case: "External Modules"
external_module_name: ${{ vars.MODULE_NAME }}
dd_url: ${{ steps.secrets.outputs.DD_URL }}
dd_token: ${{ steps.secrets.outputs.DD_TOKEN }}
prod_registry: ${{ steps.secrets.outputs.PROD_READ_REGISTRY }}
prod_registry_user: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_USER }}
prod_registry_password: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_PASSWORD }}
dev_registry: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }}
dev_registry_user: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
dev_registry_password: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
deckhouse_private_repo: ${{ steps.secrets.outputs.DECKHOUSE_PRIVATE_REPO }}
codeowners_repo_token: ${{ steps.secrets.outputs.CODEOWNERS_REPO_TOKEN }}
cve_test_repo_git: ${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }}
cve_ssh_private_key: ${{ steps.secrets.outputs.CVE_TEST_SSH_PRIVATE_KEY }}
trivy_reports_log_output: "1"
latest_releases_amount: 5
63 changes: 50 additions & 13 deletions .github/workflows/dev_module_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,27 +455,64 @@ jobs:
await e2eStatus.setInitialStatus({github, context, core});

cve_scan_on_pr:
permissions:
contents: read
id-token: write
name: Trivy images check
runs-on: ${{ fromJSON(needs.set_vars.outputs.runner_type)}}
needs:
- set_vars
- dev_setup_build
steps:
- uses: actions/checkout@v4
- uses: deckhouse/modules-actions/cve_scan@v6

- name: Split repository name
id: split
env:
REPO: ${{ github.repository }}
run: echo "name=${REPO##*/}" >> $GITHUB_OUTPUT

- name: Import secrets
id: secrets
uses: hashicorp/vault-action@v2
with:
tag: ${{needs.set_vars.outputs.modules_module_tag}}
tag_type: dev
module_name: ${{ vars.MODULE_NAME }}
dd_url: ${{vars.DEFECTDOJO_HOST}}
dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}}
prod_registry: ${{vars.TRIVY_REGISTRY}}
prod_registry_user: ${{ secrets.PROD_READ_REGISTRY_USER }}
prod_registry_password: ${{ secrets.PROD_READ_REGISTRY_PASSWORD }}
dev_registry: ${{ vars.DEV_REGISTRY }}
dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
deckhouse_private_repo: ${{vars.DECKHOUSE_PRIVATE_REPO}}
url: https://seguro.flant.com
path: github
role: "${{ steps.split.outputs.name }}"
method: jwt
jwtGithubAudience: github-access-aud
secrets: |
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_DEV_REGISTRY_HOST | DECKHOUSE_DEV_REGISTRY_HOST ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken login | DECKHOUSE_DEV_REGISTRY_USER ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken password | DECKHOUSE_DEV_REGISTRY_PASSWORD ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry_host DECKHOUSE_READ_REGISTRY_HOST | PROD_READ_REGISTRY ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license login | PROD_READ_REGISTRY_USER ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/ssdlc-registry-read-license password | PROD_READ_REGISTRY_PASSWORD ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_TOKEN | DD_TOKEN ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DD_URL | DD_URL ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_SSH_PRIVATE_KEY | CVE_TEST_SSH_PRIVATE_KEY ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets CVE_TEST_REPO_GIT | CVE_TEST_REPO_GIT ;
projects/data/24cb1d7c-717a-4f92-8547-26f632916a7a/Trivy_CVE_Scan_CI_Secrets DECKHOUSE_PRIVATE_REPO | DECKHOUSE_PRIVATE_REPO ;
projects/data/b050f3bd-733f-4746-9640-9df80d484074/CODEOWNERS_REPO_TOKEN CODEOWNERS_REPO_TOKEN | CODEOWNERS_REPO_TOKEN ;

- uses: deckhouse/modules-actions/cve_scan@v11
with:
source_tag: ${{needs.set_vars.outputs.modules_module_tag}}
case: "External Modules"
external_module_name: ${{ vars.MODULE_NAME }}
dd_url: ${{ steps.secrets.outputs.DD_URL }}
dd_token: ${{ steps.secrets.outputs.DD_TOKEN }}
prod_registry: ${{ steps.secrets.outputs.PROD_READ_REGISTRY }}
prod_registry_user: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_USER }}
prod_registry_password: ${{ steps.secrets.outputs.PROD_READ_REGISTRY_PASSWORD }}
dev_registry: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }}
dev_registry_user: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
dev_registry_password: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
deckhouse_private_repo: ${{ steps.secrets.outputs.DECKHOUSE_PRIVATE_REPO }}
codeowners_repo_token: ${{ steps.secrets.outputs.CODEOWNERS_REPO_TOKEN }}
cve_test_repo_git: ${{ steps.secrets.outputs.CVE_TEST_REPO_GIT }}
cve_ssh_private_key: ${{ steps.secrets.outputs.CVE_TEST_SSH_PRIVATE_KEY }}
trivy_reports_log_output: "1"

analyze_build:
if: ${{ github.event.inputs.svace_enabled == 'true' || contains(github.event.pull_request.labels.*.name, 'analyze/svace') }}
Expand Down
Loading