From 622a28d8f3c26d208263d8b502dec7a2a6543d02 Mon Sep 17 00:00:00 2001 From: Ian Nara Date: Tue, 12 Nov 2024 16:58:33 -0700 Subject: [PATCH 1/7] test trivy severity through env --- actions/vulnerability_scan/action.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/actions/vulnerability_scan/action.yaml b/actions/vulnerability_scan/action.yaml index c6ff316..f42d8c8 100644 --- a/actions/vulnerability_scan/action.yaml +++ b/actions/vulnerability_scan/action.yaml @@ -125,3 +125,4 @@ runs: env: TRIVY_SKIP_DB_UPDATE: true TRIVY_SKIP_JAVA_DB_UPDATE: true + TRIVY_SEVERITY: ${{ inputs.failure_severity }} \ No newline at end of file From 6204722834fcc0f0caf5db26380f0f3b1261f2fd Mon Sep 17 00:00:00 2001 From: Ian Nara Date: Tue, 12 Nov 2024 17:00:46 -0700 Subject: [PATCH 2/7] test trivy severity through env --- .github/workflows/shared-validate-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index 50f369a..9502505 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -96,7 +96,7 @@ jobs: IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }} - name: Vulnerability Scan - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@ian-test-fix-trivy-issue with: scan_severity: HIGH,CRITICAL failure_severity: ${{ inputs.vulnerability_severity }} From e83213645f9970d30f9b7d14f5d5f9b112480f72 Mon Sep 17 00:00:00 2001 From: Ian Nara Date: Tue, 12 Nov 2024 17:11:02 -0700 Subject: [PATCH 3/7] test trivy severity through env --- actions/vulnerability_scan/action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/vulnerability_scan/action.yaml b/actions/vulnerability_scan/action.yaml index f42d8c8..ffb5e5d 100644 --- a/actions/vulnerability_scan/action.yaml +++ b/actions/vulnerability_scan/action.yaml @@ -120,9 +120,9 @@ runs: format: 'table' exit-code: '1' ignore-unfixed: true - severity: ${{ inputs.failure_severity }} + severity: HIGH,CRITICAL hide-progress: true env: TRIVY_SKIP_DB_UPDATE: true TRIVY_SKIP_JAVA_DB_UPDATE: true - TRIVY_SEVERITY: ${{ inputs.failure_severity }} \ No newline at end of file + TRIVY_SEVERITY: HIGH,CRITICAL \ No newline at end of file From 7b92119ee1a5b5f8cd04bec234d42ffe1829e534 Mon Sep 17 00:00:00 2001 From: Ian Nara Date: Wed, 13 Nov 2024 09:32:15 -0700 Subject: [PATCH 4/7] test trivy severity through env --- actions/vulnerability_scan/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/vulnerability_scan/action.yaml b/actions/vulnerability_scan/action.yaml index ffb5e5d..4920a73 100644 --- a/actions/vulnerability_scan/action.yaml +++ b/actions/vulnerability_scan/action.yaml @@ -120,7 +120,7 @@ runs: format: 'table' exit-code: '1' ignore-unfixed: true - severity: HIGH,CRITICAL + severity: ${{ inputs.failure_severity }} hide-progress: true env: TRIVY_SKIP_DB_UPDATE: true From 7b2b3a3dbf32467cda22311ea7c0b8b5c4870b4d Mon Sep 17 00:00:00 2001 From: Ian Nara Date: Wed, 13 Nov 2024 09:32:22 -0700 Subject: [PATCH 5/7] test trivy severity through env --- actions/vulnerability_scan/action.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/actions/vulnerability_scan/action.yaml b/actions/vulnerability_scan/action.yaml index 4920a73..3fe45a6 100644 --- a/actions/vulnerability_scan/action.yaml +++ b/actions/vulnerability_scan/action.yaml @@ -124,5 +124,4 @@ runs: hide-progress: true env: TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true - TRIVY_SEVERITY: HIGH,CRITICAL \ No newline at end of file + TRIVY_SKIP_JAVA_DB_UPDATE: true \ No newline at end of file From dbcd894abca3b4530f4f8c39dfdb5e391b2084ac Mon Sep 17 00:00:00 2001 From: Ian Nara Date: Wed, 13 Nov 2024 09:37:16 -0700 Subject: [PATCH 6/7] test trivy severity through env --- .github/workflows/shared-validate-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index 9502505..30db92f 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -99,7 +99,7 @@ jobs: uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@ian-test-fix-trivy-issue with: scan_severity: HIGH,CRITICAL - failure_severity: ${{ inputs.vulnerability_severity }} + failure_severity: ${{ inputs.failure_severity }} publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }} image_ref: ${{ steps.meta.outputs.tags }} scan_type: image From 0e6f86533004d7ab6ab4865563683816d6a98506 Mon Sep 17 00:00:00 2001 From: Ian Nara Date: Wed, 13 Nov 2024 09:54:12 -0700 Subject: [PATCH 7/7] fix trivy scan pipeline bug --- .github/workflows/shared-validate-image.yaml | 2 +- actions/vulnerability_scan/action.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index 30db92f..3eba049 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -96,7 +96,7 @@ jobs: IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }} - name: Vulnerability Scan - uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@ian-test-fix-trivy-issue + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 with: scan_severity: HIGH,CRITICAL failure_severity: ${{ inputs.failure_severity }} diff --git a/actions/vulnerability_scan/action.yaml b/actions/vulnerability_scan/action.yaml index 3fe45a6..c6ff316 100644 --- a/actions/vulnerability_scan/action.yaml +++ b/actions/vulnerability_scan/action.yaml @@ -124,4 +124,4 @@ runs: hide-progress: true env: TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true \ No newline at end of file + TRIVY_SKIP_JAVA_DB_UPDATE: true