Skip to content
This repository has been archived by the owner on Nov 29, 2024. It is now read-only.

Commit

Permalink
Merge branch 'main' into ss/feat/introduce-readyz-probe
Browse files Browse the repository at this point in the history
  • Loading branch information
shsma authored Nov 22, 2024
2 parents d6eae2a + 5bfb8b1 commit 6638a6e
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 42 deletions.
72 changes: 32 additions & 40 deletions .github/workflows/component-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,40 +27,44 @@ jobs:
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: image:latest
format: 'json'
vuln-type: 'os,library'
output: 'trivy-results.json'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
TRIVY_FORMAT: json
TRIVY_OUTPUT: 'trivy-results.json'

- name: Save vulnerabilities report in tabular format
if: always()
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: trivy-results.json
scan-ref: trivy-results.json
scan-type: convert
vuln-type: ''
format: 'table'
output: 'trivy-results.txt'
env:
TRIVY_FORMAT: table
TRIVY_OUTPUT: 'trivy-results.txt'

- name: Display vulnerabilities report
if: always()
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: trivy-results.json
scan-ref: trivy-results.json
scan-type: convert
vuln-type: ''
env:
TRIVY_FORMAT: table
TRIVY_OUTPUT: ''

- name: Fail on high and critical vulnerabilities
if: always()
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: trivy-results.json
scan-ref: trivy-results.json
scan-type: convert
exit-code: '1'
vuln-type: ''
severity: 'HIGH,CRITICAL'
env:
TRIVY_FORMAT: table
TRIVY_OUTPUT: ''

- name: Publish scan report
if: always()
Expand Down Expand Up @@ -212,35 +216,23 @@ jobs:
- name: Send Notification to Slack
if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/') }}
uses: slackapi/slack-github-action@v1.27.0
uses: slackapi/slack-github-action@v2.0.0
with:
channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
method: chat.postMessage
token: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }}
payload: |
{
"text": "Trivy Vulnerability Report",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "${{ env.CODE_OWNERS }}, please review the following reports: <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}|_Trivy_>, <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }}|_Prisma_>"
}
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }}
channel: ${{ secrets.SLACK_CHANNEL_ID }}
text: "Trivy Vulnerability Report"
blocks:
- type: "section"
text:
type: "mrkdwn"
text: "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
- type: "section"
text:
type: "mrkdwn"
text: "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*"
- type: "section"
text:
type: "mrkdwn"
text: "${{ env.CODE_OWNERS }}, please review the following reports: <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}|_Trivy_>, <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }}|_Prisma_>"
4 changes: 2 additions & 2 deletions local-rest-scorer/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3221f96f52fca0020fa6f404b0370d132403be6b3736d8dd92275ccd72129c1f AS builder
FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b3dd9cf08283b959c6a0a3c833e68b2882a50129930215060154b43ae6a3e81c AS builder
RUN apk add openjdk-17 bash coreutils
ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ENV PATH="$JAVA_HOME/bin:$PATH"
WORKDIR /app
COPY build/libs/local-rest-scorer-boot.jar application.jar
RUN java -Djarmode=layertools -jar application.jar extract

FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3221f96f52fca0020fa6f404b0370d132403be6b3736d8dd92275ccd72129c1f
FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b3dd9cf08283b959c6a0a3c833e68b2882a50129930215060154b43ae6a3e81c
RUN apk add openjdk-17-jre bash coreutils
ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ENV PATH="$JAVA_HOME/bin:$PATH"
Expand Down

0 comments on commit 6638a6e

Please sign in to comment.