diff --git a/.github/workflows/cve-scan-and-patching.yml b/.github/workflows/cve-scan-and-patching.yml index 9c47516..ed3fb41 100644 --- a/.github/workflows/cve-scan-and-patching.yml +++ b/.github/workflows/cve-scan-and-patching.yml @@ -26,43 +26,47 @@ jobs: registry: registry.sighup.io username: ${{ secrets.SIGHUP_REGISTRY_USERNAME }} password: ${{ secrets.SIGHUP_REGISTRY_PASSWORD }} - - name: Install furyctl, trivy and copa - run: | - sudo apt-get install wget apt-transport-https gnupg - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update - sudo apt-get install trivy - trivy --version - - wget https://github.com/sighupio/furyctl/releases/download/v0.29.7/furyctl-linux-amd64.tar.gz - tar -xzvf furyctl-linux-amd64.tar.gz -C /usr/local/bin/ - furyctl version - - wget https://github.com/moby/buildkit/releases/download/v0.16.0/buildkit-v0.16.0.linux-amd64.tar.gz - tar -xzvf buildkit-v0.16.0.linux-amd64.tar.gz -C /usr/local/bin/ --strip-components=1 - buildctl --version - - wget https://github.com/project-copacetic/copacetic/releases/download/v0.8.0/copa_0.8.0_linux_amd64.tar.gz - tar -xzvf copa_0.8.0_linux_amd64.tar.gz - chmod +x copa - sudo mv copa /usr/local/bin/ - copa --version - - - name: Execute scan and patching - run: | - cd CVEs - make trivy-download-db - make all - echo "todayDate=$(date +'%Y-%m-%d')" >> $GITHUB_ENV - echo "KFD_VERSIONS=$(find CVEs -name "v*" -maxdepth 1 | cut -d/ -f2 | sort)" >> $GITHUB_ENV - - - name: publish patching report - uses: actions/upload-artifact@v4 - with: - name: cve-reports-${{env.todayDate}} - path: | - CVEs/v*/images.txt - CVEs/v*/built.yaml - CVEs/v*/*.md - CVEs/v*/*.log + - name: find DOCKER_AUTH_CONFIG + run: | + echo "$DOCKER_AUTH_CONFIG" > .docker/config.json + cat .docker/config.json +# - name: Install furyctl, trivy and copa +# run: | +# sudo apt-get install wget apt-transport-https gnupg +# wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null +# echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list +# sudo apt-get update +# sudo apt-get install trivy +# trivy --version +# +# wget https://github.com/sighupio/furyctl/releases/download/v0.29.7/furyctl-linux-amd64.tar.gz +# tar -xzvf furyctl-linux-amd64.tar.gz -C /usr/local/bin/ +# furyctl version +# +# wget https://github.com/moby/buildkit/releases/download/v0.16.0/buildkit-v0.16.0.linux-amd64.tar.gz +# tar -xzvf buildkit-v0.16.0.linux-amd64.tar.gz -C /usr/local/bin/ --strip-components=1 +# buildctl --version +# +# wget https://github.com/project-copacetic/copacetic/releases/download/v0.8.0/copa_0.8.0_linux_amd64.tar.gz +# tar -xzvf copa_0.8.0_linux_amd64.tar.gz +# chmod +x copa +# sudo mv copa /usr/local/bin/ +# copa --version +# +# - name: Execute scan and patching +# run: | +# cd CVEs +# DOCKER_AUTH_CONFIG= +# make trivy-download-db +# make all +# echo "todayDate=$(date +'%Y-%m-%d')" >> $GITHUB_ENV +# +# - name: publish patching report +# uses: actions/upload-artifact@v4 +# with: +# name: cve-reports-${{env.todayDate}} +# path: | +# CVEs/v*/images.txt +# CVEs/v*/built.yaml +# CVEs/v*/*.md +# CVEs/v*/*.log