From 0acfbdc7a1e0f0cdeaab4bf7928f30baaf800d71 Mon Sep 17 00:00:00 2001 From: Shengwen YU Date: Tue, 25 Oct 2022 14:26:53 +0800 Subject: [PATCH] feat: bump TRIVYVERSION to v0.32.1 and bump TRIVYADAPTERVERSION to v0.30.2 (#17681) Signed-off-by: Shengwen Yu Signed-off-by: Shengwen Yu --- Makefile | 4 ++-- make/harbor.yml.tmpl | 3 +++ make/photon/prepare/templates/trivy-adapter/env.jinja | 1 + make/photon/prepare/utils/configs.py | 1 + 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 127ed41b9..34fd1a05a 100644 --- a/Makefile +++ b/Makefile @@ -109,8 +109,8 @@ PREPARE_VERSION_NAME=versions REGISTRYVERSION=v2.8.0-patch-redis NOTARYVERSION=v0.6.1 NOTARYMIGRATEVERSION=v4.11.0 -TRIVYVERSION=v0.29.2 -TRIVYADAPTERVERSION=v0.30.0 +TRIVYVERSION=v0.32.1 +TRIVYADAPTERVERSION=v0.30.2 # version of chartmuseum for pulling the source code CHARTMUSEUM_SRC_TAG=v0.14.0 diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl index c0563b74c..9df58de36 100644 --- a/make/harbor.yml.tmpl +++ b/make/harbor.yml.tmpl @@ -86,6 +86,9 @@ trivy: # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment. offline_scan: false # + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + security_check: vuln + # # insecure The flag to skip verifying registry certificate insecure: false # github_token The GitHub access token to download Trivy DB diff --git a/make/photon/prepare/templates/trivy-adapter/env.jinja b/make/photon/prepare/templates/trivy-adapter/env.jinja index 6de37861b..c9402a136 100644 --- a/make/photon/prepare/templates/trivy-adapter/env.jinja +++ b/make/photon/prepare/templates/trivy-adapter/env.jinja @@ -11,6 +11,7 @@ SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}} SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}} SCANNER_TRIVY_OFFLINE_SCAN={{trivy_offline_scan}} +SCANNER_TRIVY_SECURITY_CHECKS={{trivy_security_check}} SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}} SCANNER_TRIVY_INSECURE={{trivy_insecure}} SCANNER_TRIVY_TIMEOUT={{trivy_timeout}} diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py index 99f67df37..64498db18 100644 --- a/make/photon/prepare/utils/configs.py +++ b/make/photon/prepare/utils/configs.py @@ -229,6 +229,7 @@ def parse_yaml_config(config_file_path, with_notary, with_trivy, with_chartmuseu config_dict['trivy_github_token'] = trivy_configs.get("github_token") or '' config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False config_dict['trivy_offline_scan'] = trivy_configs.get("offline_scan") or False + config_dict['trivy_security_check'] = trivy_configs.get("security_check") or 'vuln' config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False config_dict['trivy_insecure'] = trivy_configs.get("insecure") or False config_dict['trivy_timeout'] = trivy_configs.get("timeout") or '5m0s'