-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update the python tooling in the ingest container (#403)
We were updating the python tooling (`setuptools` & friends) in the builder layer but forgot to update them in the prod layer. This resulted in a `setuptools` vulnerability blocking CI. This PR: - updates `setuptools` & friends in the correct locations in the docker image - removes the docker build caching in CI as it wasn't doing anything. (I made #404 to address this) - Updates the security scanning step in CI to add more actionable output.
- Loading branch information
Showing
2 changed files
with
28 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -111,11 +111,6 @@ jobs: | |
| labels: ${{ steps.meta.outputs.labels }} | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| # Use a cache to speed up builds | ||
| # Note: this may cause security issues if the apt updates are cached | ||
| # It may make more sense to build eccodes as its own image instead. | ||
| cache-from: type=registry,ref=ghcr.io/noaa-gsl/vxingest/cache/ingest:buildcache | ||
| cache-to: type=registry,ref=ghcr.io/noaa-gsl/vxingest/cache/ingest:buildcache,mode=max | ||
| build-import: | ||
| name: Build Import image | ||
| runs-on: ubuntu-latest | ||
|
|
@@ -165,6 +160,18 @@ jobs: | |
| - name: Extract SHORT_SHA | ||
| run: echo "SHORT_SHA=${GITHUB_SHA::7}" >> "$GITHUB_ENV" | ||
| - name: Scan image with Trivy | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| image-ref: "ghcr.io/noaa-gsl/vxingest/ingest:sha-${{ env.SHORT_SHA }}" | ||
| format: "table" # Generate actionable output | ||
| ignore-unfixed: true | ||
| severity: "CRITICAL,HIGH" | ||
| exit-code: "1" | ||
| env: | ||
| TRIVY_USERNAME: ${{ github.actor }} | ||
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Generate Trivy output formatted for the GitHub Security tab | ||
| if: always() | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| image-ref: "ghcr.io/noaa-gsl/vxingest/ingest:sha-${{ env.SHORT_SHA }}" | ||
|
|
@@ -173,7 +180,6 @@ jobs: | |
| ignore-unfixed: true | ||
| severity: "CRITICAL,HIGH" | ||
| limit-severities-for-sarif: true | ||
| exit-code: "1" | ||
| env: | ||
| TRIVY_USERNAME: ${{ github.actor }} | ||
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
@@ -190,6 +196,18 @@ jobs: | |
| - name: Extract SHORT_SHA | ||
| run: echo "SHORT_SHA=${GITHUB_SHA::7}" >> "$GITHUB_ENV" | ||
| - name: Scan image with Trivy | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| image-ref: "ghcr.io/noaa-gsl/vxingest/import:sha-${{ env.SHORT_SHA }}" | ||
| format: "table" # Generate actionable output | ||
| ignore-unfixed: true | ||
| severity: "CRITICAL,HIGH" | ||
| # exit-code: "1" # FIXME: allow failures for now. Couchbase needs to update cbtools | ||
| env: | ||
| TRIVY_USERNAME: ${{ github.actor }} | ||
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Generate Trivy output formatted for the GitHub Security tab | ||
| if: always() | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| image-ref: "ghcr.io/noaa-gsl/vxingest/import:sha-${{ env.SHORT_SHA }}" | ||
|
|
@@ -198,7 +216,6 @@ jobs: | |
| ignore-unfixed: true | ||
| severity: "CRITICAL,HIGH" | ||
| limit-severities-for-sarif: true | ||
| # exit-code: "1" # FIXME: allow failures for now. Couchbase needs to update cbtools | ||
| env: | ||
| TRIVY_USERNAME: ${{ github.actor }} | ||
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters