Skip to content
This repository was archived by the owner on Jan 29, 2025. It is now read-only.

Commit 3a63b6b

Browse files
madalazarmadalazar
committed
Run nightly vulnerability scan only for TAS module
This commit adds an aditional step to clean-upany Docker images that are being created/pulled in the process. Signed-off-by: Madalina Lazar <[email protected]>
1 parent 00346ce commit 3a63b6b

File tree

1 file changed

+26
-5
lines changed

1 file changed

+26
-5
lines changed

.github/workflows/trivy-image-scan.yaml

+26-5
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
runs-on: ${{ inputs.runsOn }}
2020
strategy:
2121
matrix:
22-
workingdir: [telemetry-aware-scheduling, gpu-aware-scheduling]
22+
workingdir: [ telemetry-aware-scheduling ]
2323
name: image-vulnerability-scanners
2424
steps:
2525
- name: Checkout project
@@ -29,18 +29,20 @@ jobs:
2929
- name: install Trivy
3030
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ inputs.trivyVersion }}
3131
- name: trivy base image scan $DIR
32+
id: base_image_scan
3233
run: |
3334
cd ./${{ matrix.workingdir }}
3435
base_image_suffix=$(grep "GO_VERSION = " Makefile | cut -d " " -f 3)
3536
base_image="golang:${base_image_suffix}"
3637
echo "[INFO] base image name is: ${base_image}"
3738
output=$(trivy image --severity HIGH,CRITICAL ${base_image} --exit-code=2)
38-
if [ "${output}" -eq 2 ]; then
39+
if [ "$?" == "2" ]; then
3940
echo "::warning::severities CRITICAL, HIGH issues spotted by Trivy in ${{ matrix.workingdir }} for base image: ${base_image}"
4041
exit 1
4142
else
4243
echo "trivy image ./ --severity=CRITICAL, HIGH for base image: ${base_image} ran successfully"
4344
fi
45+
4446
cd ..
4547
shell: bash
4648
- name: make image
@@ -49,21 +51,40 @@ jobs:
4951
make image
5052
cd ..
5153
- name: trivy image scan $DIR
54+
id: main_image_scan
5255
run: |
5356
cd ./${{ matrix.workingdir }}
5457
image_name="tasextender"
55-
if [ ${{ matrix.workingdir}} -eq "gpu-aware-scheduling" ]; then
58+
if [ "${{ matrix.workingdir}}" == "gpu-aware-scheduling" ]; then
5659
image_name="gpu-extender"
5760
fi
5861
echo "[INFO]image name is: ${image_name}"
5962
output=$(trivy image --severity HIGH,CRITICAL ${image_name} --exit-code=2)
60-
if [ -n "${output}" ]; then
63+
if [ "$?" == "2" ]; then
6164
echo "::warning::severities CRITICAL, HIGH issues spotted by Trivy in ${{ matrix.workingdir }} for image: ${image_name}"
6265
exit 1
6366
else
6467
echo "trivy image ./ --severity=CRITICAL, HIGH for image ${image_name} ran successfully"
6568
fi
66-
69+
70+
# output module image name
71+
echo "MAIN_IMAGE_NAME=$image_name" >> $GITHUB_OUTPUT
72+
6773
cd ..
6874
shell: bash
75+
- name: clean-up generated images
76+
id: clean_up_images
77+
run: |
78+
echo "clean-up before finishing..."
79+
# trivy can run the scan on base images without pulling the images
80+
# locally in Docker, so no point cleaning the base images
81+
module_image_name=${{ steps.main_image_scan.outputs.MAIN_IMAGE_NAME }}
82+
if [ -n "$module_image_name" ]; then
83+
echo "clean-up module image: $module_image_name"
84+
docker rmi $(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep "$module_image_name:latest")
85+
fi
86+
87+
echo "clean-up finished."
88+
89+
shell: bash
6990

0 commit comments

Comments
 (0)