Merge pull request #1851 from cybozu/disable-trivy

Disable Trivy

Author: yokaze

.circleci/config.yml

@@ -121,34 +121,38 @@ jobs:
             - run:
                 name: Install Trivy
                 command: |
-                  curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-            - run:
-                name: Scan images
-                command: |
-                  if [ "${CIRCLE_BRANCH}" != "main" ]; then
-                      exit 0
-                  fi
-                  if [ ! -f BUILDS ]; then
-                      echo "no need to scan << parameters.container-image >>."
-                      exit 0
-                  fi
+                  echo 'Trivy is disabled.'
+            # - run:
+            #     name: Install Trivy
+            #     command: |
+            #       curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+            # - run:
+            #     name: Scan images
+            #     command: |
+            #       if [ "${CIRCLE_BRANCH}" != "main" ]; then
+            #           exit 0
+            #       fi
+            #       if [ ! -f BUILDS ]; then
+            #           echo "no need to scan << parameters.container-image >>."
+            #           exit 0
+            #       fi
 
-                  dir=<< parameters.dir >>
-                  if [ "$dir" = "" ]; then dir=<< parameters.container-image >> ; fi
-                  targets="<< parameters.targets >>"
-                  if [ "$targets" = "" ]; then
-                      images=<< parameters.container-image >>
-                  else
-                      images=
-                      for target in $targets; do
-                          images="$images << parameters.container-image >>-$target"
-                      done
-                  fi
-                  TAG=$(cat $dir/TAG)
-                  for image in $images; do
-                      echo "scanning $image:$TAG ..."
-                      YAMORY_IMAGE_IDENTIFIER="quay.io/cybozu/$image" YAMORY_IMAGE_NAME="quay.io/cybozu/$image:$TAG" sh -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
-                  done
+            #       dir=<< parameters.dir >>
+            #       if [ "$dir" = "" ]; then dir=<< parameters.container-image >> ; fi
+            #       targets="<< parameters.targets >>"
+            #       if [ "$targets" = "" ]; then
+            #           images=<< parameters.container-image >>
+            #       else
+            #           images=
+            #           for target in $targets; do
+            #               images="$images << parameters.container-image >>-$target"
+            #           done
+            #       fi
+            #       TAG=$(cat $dir/TAG)
+            #       for image in $images; do
+            #           echo "scanning $image:$TAG ..."
+            #           YAMORY_IMAGE_IDENTIFIER="quay.io/cybozu/$image" YAMORY_IMAGE_NAME="quay.io/cybozu/$image:$TAG" sh -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
+            #       done
 
 workflows:
   main:

.github/actions/build_envoy/action.yaml

@@ -105,14 +105,14 @@ runs:
         # Input comma-separated tags: <tag>,<branch1>,<branch2>,...
         tags: ${{ steps.prepare.outputs.tag }}${{ steps.prepare.outputs.branch && format(',{0}', steps.prepare.outputs.branch) }}
         load: true
-    - name: Scan images
-      if: ${{ steps.prepare.outputs.scan }}
-      uses: ./.github/actions/trivy_scan
-      with:
-        dir: ${{ inputs.dir }}
-        container-image: ${{ inputs.container-image }}
-        tag: ${{ steps.prepare.outputs.tag }}
-        yamory_token: ${{ inputs.yamory_token }}
+    # - name: Scan images
+    #   if: ${{ steps.prepare.outputs.scan }}
+    #   uses: ./.github/actions/trivy_scan
+    #   with:
+    #     dir: ${{ inputs.dir }}
+    #     container-image: ${{ inputs.container-image }}
+    #     tag: ${{ steps.prepare.outputs.tag }}
+    #     yamory_token: ${{ inputs.yamory_token }}
     - name: Test image
       if: ${{ steps.prepare.outputs.build }}
       shell: bash

.github/actions/build_push/action.yaml

@@ -97,11 +97,11 @@ runs:
         # Input comma-separated tags: <tag>,<branch1>,<branch2>,...
         tags: ${{ steps.prepare.outputs.tag }}${{ steps.prepare.outputs.branch && format(',{0}', steps.prepare.outputs.branch) }}
         target: ${{ inputs.target }}
-    - name: Scan images
-      if: ${{ steps.prepare.outputs.scan }}
-      uses: ./.github/actions/trivy_scan
-      with:
-        dir: ${{ inputs.dir }}
-        container-image: ${{ inputs.container-image }}
-        tag: ${{ steps.prepare.outputs.tag }}
-        yamory_token: ${{ inputs.yamory_token }}
+    # - name: Scan images
+    #   if: ${{ steps.prepare.outputs.scan }}
+    #   uses: ./.github/actions/trivy_scan
+    #   with:
+    #     dir: ${{ inputs.dir }}
+    #     container-image: ${{ inputs.container-image }}
+    #     tag: ${{ steps.prepare.outputs.tag }}
+    #     yamory_token: ${{ inputs.yamory_token }}

.github/actions/trivy_scan/action.yaml

@@ -12,29 +12,32 @@ inputs:
   tag:
     description: "container tag"
     required: true
-  yamory_token:
-    description: "Yamory Access Token"
-    required: true
+  # yamory_token:
+  #   description: "Yamory Access Token"
+  #   required: true
 
 runs:
   using: "composite"
   steps:
-    - name: Install Trivy
-      shell: bash
-      run: |
-        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-    - name: Scan images
+    - name: Skip
       shell: bash
-      env:
-        YAMORY_ACCESS_TOKEN: ${{ inputs.yamory_token }}
-      run: |
-        echo
-        echo "scanning ${{ inputs.tag }} ..."
-        if [[ "${{ inputs.tag }}" == "ghcr.io/cybozu/golang:"* ]]; then
-          dir=${{ inputs.dir }}
-          BRANCH=$(cat $dir/BRANCH)
-          image=${{ inputs.container-image }}:$BRANCH
-        else
-          image=${{ inputs.container-image }}
-        fi
-        YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/$image" YAMORY_IMAGE_NAME="${{ inputs.tag }}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
+      run: echo 'Trivy is disabled.'
+    # - name: Install Trivy
+    #   shell: bash
+    #   run: |
+    #     curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+    # - name: Scan images
+    #   shell: bash
+    #   env:
+    #     YAMORY_ACCESS_TOKEN: ${{ inputs.yamory_token }}
+    #   run: |
+    #     echo
+    #     echo "scanning ${{ inputs.tag }} ..."
+    #     if [[ "${{ inputs.tag }}" == "ghcr.io/cybozu/golang:"* ]]; then
+    #       dir=${{ inputs.dir }}
+    #       BRANCH=$(cat $dir/BRANCH)
+    #       image=${{ inputs.container-image }}:$BRANCH
+    #     else
+    #       image=${{ inputs.container-image }}
+    #     fi
+    #     YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/$image" YAMORY_IMAGE_NAME="${{ inputs.tag }}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"