From 45533fc35847a8568deb0d4cae1851a2872f3651 Mon Sep 17 00:00:00 2001 From: Matthew Sevey <15232757+MSevey@users.noreply.github.com> Date: Thu, 31 Oct 2024 10:35:39 -0400 Subject: [PATCH] chore(ci): comment out Trivy due to instability (#119) --- .../reusable_dockerfile_pipeline.yml | 74 +++++++++---------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/.github/workflows/reusable_dockerfile_pipeline.yml b/.github/workflows/reusable_dockerfile_pipeline.yml index 3ab437c..a255e27 100644 --- a/.github/workflows/reusable_dockerfile_pipeline.yml +++ b/.github/workflows/reusable_dockerfile_pipeline.yml @@ -148,50 +148,50 @@ jobs: echo "Failing step due to build_for_pr == build_for_merge" exit 1 - docker-security: - needs: ["prepare-env", "logic-check"] - runs-on: "ubuntu-latest" - steps: - - name: Checkout - uses: "actions/checkout@v4" - with: - ref: ${{ inputs.checkout_ref }} + # docker-security: + # needs: ["prepare-env", "logic-check"] + # runs-on: "ubuntu-latest" + # steps: + # - name: Checkout + # uses: "actions/checkout@v4" + # with: + # ref: ${{ inputs.checkout_ref }} - - name: Build - uses: docker/build-push-action@v5 - env: - OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} - OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }} - with: - context: ${{ inputs.dockerContext}} - push: false - platforms: linux/amd64 - # we're building the container before the scan, use the short sha tag - # for referring to it later - tags: ${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }} - file: ${{ inputs.dockerfile }} + # - name: Build + # uses: docker/build-push-action@v5 + # env: + # OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} + # OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }} + # with: + # context: ${{ inputs.dockerContext}} + # push: false + # platforms: linux/amd64 + # # we're building the container before the scan, use the short sha tag + # # for referring to it later + # tags: ${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }} + # file: ${{ inputs.dockerfile }} - - name: Run Trivy vulnerability scanner - # source: https://github.com/aquasecurity/trivy-action - # https://github.com/marketplace/actions/aqua-security-trivy - uses: aquasecurity/trivy-action@master - env: - OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} - OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }} - with: - # here we use the local tag that we've built before - image-ref: "${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }}" - format: "table" - #exit-code: '1' # uncomment to stop the CI if the scanner fails - ignore-unfixed: true - vuln-type: "os,library" - severity: "CRITICAL,HIGH" + # - name: Run Trivy vulnerability scanner + # # source: https://github.com/aquasecurity/trivy-action + # # https://github.com/marketplace/actions/aqua-security-trivy + # uses: aquasecurity/trivy-action@master + # env: + # OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} + # OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }} + # with: + # # here we use the local tag that we've built before + # image-ref: "${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }}" + # format: "table" + # #exit-code: '1' # uncomment to stop the CI if the scanner fails + # ignore-unfixed: true + # vuln-type: "os,library" + # severity: "CRITICAL,HIGH" docker-build: name: docker-build (${{ matrix.registry.name }}; ${{ matrix.registry.registry-url }}/${{ matrix.registry.registry-owner }}/${{ needs.prepare-env.outputs.output_image_name }}) runs-on: "ubuntu-latest" # wait until the jobs are finished. - needs: ["prepare-env", "logic-check", "docker-security"] + needs: ["prepare-env", "logic-check"] # We only want to run this step if one of the build flags is true. We don't # run if both logic flags are false. This is the case for push events on PR # commits. The logic-check job protects us from the case of both build flags