Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore: disable ironbank image scanning #6104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 8, 2023
Merged

chore: disable ironbank image scanning #6104

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 1 addition & 37 deletions .github/workflows/security.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,17 +115,6 @@ jobs:
make -j "$image_job"
echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT

- name: Build Coder linux amd64 Docker image (ironbank)
id: build-ironbank
run: |
set -euo pipefail
# NOTE: This is not a real image tag we publish.
image_tag="${{ steps.build.outputs.image }}-ironbank"
./scripts/ironbank/build_ironbank.sh \
--target "$image_tag" \
"build/coder_$(./scripts/version.sh)_linux_amd64"
echo "image=$image_tag" >> $GITHUB_OUTPUT

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
with:
Expand All @@ -140,34 +129,9 @@ jobs:
sarif_file: trivy-results.sarif
category: "Trivy"

- name: Run Trivy vulnerability scanner (ironbank)
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: ${{ steps.build-ironbank.outputs.image }}
format: sarif
output: trivy-results-ironbank.sarif
severity: "CRITICAL,HIGH"

# Update the tool name field in the ironbank SARIF file so it's not
# indistinguishable from findings in the non-ironbank SARIF file in the
# GitHub UI. Without this, findings from both scans would show up as
# "Trivy".
- name: Update tool name in SARIF file (ironbank)
run: |
set -euo pipefail
yq eval -i '.runs[0].tool.driver.name = "Trivy Ironbank"' trivy-results-ironbank.sarif

- name: Upload Trivy scan results to GitHub Security tab (ironbank)
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results-ironbank.sarif
category: "Trivy Ironbank"

- name: Upload Trivy scan results as an artifact
uses: actions/upload-artifact@v2
with:
name: trivy
path: |
trivy-results.sarif
trivy-results-ironbank.sarif
path: trivy-results.sarif
retention-days: 7