chore(trivy): Update trivy for aaw#1988 (#329)

* add updates to trivy * update cypress
StatCan · Nov 27, 2024 · 6aca35b · 6aca35b
1 parent b1de170
commit 6aca35b
Show file tree

Hide file tree

Showing 4 changed files with 537 additions and 277 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -14,7 +14,11 @@ on:
 env:
   REGISTRY_NAME: k8scc01covidacr
   DEV_REGISTRY_NAME: k8scc01covidacrdev
-  TRIVY_VERSION: "v0.43.1"
+  TRIVY_VERSION: "v0.57.0"
+  TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
+  TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
+  TRIVY_MAX_RETRIES: 5
+  TRIVY_RETRY_DELAY: 20
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   HADOLINT_VERSION: "2.12.0"
 
@@ -76,10 +80,38 @@ jobs:
         docker push localhost:5000/jupyter-apis:${{ github.sha }}
         docker image prune
     
+    # Scan image for vulnerabilities
     - name: Aqua Security Trivy image scan
       run: |
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
-        trivy image localhost:5000/jupyter-apis:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
+        
+        set +e # Lets trivy return an error without it being fatal
+
+        for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do
+          echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..."
+
+          trivy image \
+            --db-repository ${{ env.TRIVY_DATABASES }} \
+            --java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \
+            localhost:5000/jupyter-apis:${{ github.sha }} \
+            --exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \
+            --skip-dirs /usr/local/SASHome
+          EXIT_CODE=$?
+
+          if [[ $EXIT_CODE -eq 0 ]]; then
+            echo "Trivy scan completed successfully."
+            exit 0
+          elif [[ $EXIT_CODE -eq 10 ]]; then
+            echo "Trivy scan completed successfully. Some vulnerabilities were found."
+            exit 10
+          elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1))  ]]; then
+            echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..."
+            sleep ${{ env.TRIVY_RETRY_DELAY }}
+          else
+            echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting."
+            exit 1
+          fi
+        done
 
     # Container build and push to a Azure Container registry (ACR)
     - name: Push to ACR if necessary