Fix TOOMANYREQUESTS failure in Trivy Action

Signed-off-by: tao.yang <[email protected]>
ty-dc · Nov 15, 2024 · ef62780 · ef62780
1 parent cdc0e82
commit ef62780
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 17 deletions.
diff --git a/.github/workflows/build-image-ci.yaml b/.github/workflows/build-image-ci.yaml
@@ -182,7 +182,7 @@ jobs:
           # docker cache after the workflow "Image CI Cache Cleaner" was terminated.
           push: ${{ env.push }}
           platforms: linux/amd64
-          outputs: type=tar,dest=/tmp/${{ matrix.name }}-race.tar
+          outputs: type=docker,dest=/tmp/${{ matrix.name }}-race.tar
           github-token: ${{ secrets.WELAN_PAT }}
           tags: |
             ${{ env.ONLINE_REGISTER }}/${{ github.repository }}/${{ matrix.name }}-ci:${{ env.tag }}-race
@@ -231,7 +231,7 @@ jobs:
           push: ${{ env.push }}
           platforms: linux/amd64
           github-token: ${{ secrets.WELAN_PAT }}
-          outputs: type=tar,dest=/tmp/${{ matrix.name }}-race.tar
+          outputs: type=docker,dest=/tmp/${{ matrix.name }}-race.tar
           tags: |
             ${{ env.ONLINE_REGISTER }}/${{ github.repository }}/${{ matrix.name }}-ci:${{ env.tag }}-race
           build-args: |

diff --git a/.github/workflows/e2e-init.yaml b/.github/workflows/e2e-init.yaml
@@ -122,8 +122,12 @@ jobs:
           for ITEM in $TAR_FILES ; do
               IMAGE_NAME=${ITEM%*.tar}
               echo ${IMAGE_NAME}
-              cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ inputs.image_tag }}
+              docker load -i test/.download/${ITEM}
+              ITEM_IMAGE_ID=$(docker images | grep ${IMAGE_NAME} | grep ${{ inputs.image_tag }} | awk '{print $3}')
+              docker tag ${ITEM_IMAGE_ID} ${IMAGE_NAME}:${{ inputs.image_tag }}
           done
+          echo "list docker images"
+          docker images
 
       # test against commit version
       # https://github.com/kubernetes-sigs/kind/issues/2863
@@ -164,7 +168,7 @@ jobs:
             else
               echo "RUN_SETUP_KIND_CLUSTER_PASS=false" >> $GITHUB_ENV
             fi
-            if [ -f "test/e2edebugLog" ] ; then
+            if [ -f "test/e2edebugLog.txt" ] ; then
               echo "UPLOAD_SETUP_KIND_CLUSTER_LOG=true" >> $GITHUB_ENV
             else
               echo "UPLOAD_SETUP_KIND_CLUSTER_LOG=false" >> $GITHUB_ENV

diff --git a/.github/workflows/trivy-scan-image.yaml b/.github/workflows/trivy-scan-image.yaml
@@ -35,24 +35,34 @@ jobs:
           name: image-tar-spiderpool-controller
           path: test/.download
 
-      - name: Load And Scan Images
+      - name: Load Images and Save to docker
         run: |
           TAR_FILES=` ls test/.download `
           echo $TAR_FILES
           for ITEM in $TAR_FILES ; do
               IMAGE_NAME=${ITEM%*.tar}
               echo ${IMAGE_NAME}
               cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ inputs.image_tag }}
-              echo "---------trivy checkout image ${IMAGE_NAME}:${{ inputs.image_tag }} --------------------"
-              make lint_image_trivy -e IMAGE_NAME=${IMAGE_NAME}:${{ inputs.image_tag }}  \
-                  || { echo "RUN_IMAGE_TRIVY_FAIL=true" >> $GITHUB_ENV ; echo "error, image ${IMAGE_NAME}:${{ inputs.image_tag }} is bad" ; }
+              docker save -o test/.download/${IMAGE_NAME}-trivy.tar ${IMAGE_NAME}:${{ inputs.image_tag }}
           done
+          docker images
+      
+      - name: List downloaded files
+        run: ls -al test/.download
 
-      - name: Show Trivy Scan Report
-        run: |
-          if [ "${{ env.RUN_IMAGE_TRIVY_FAIL }}" == "true" ] ; then
-              echo "error, image is not secure, see detail on Step 'Load And Scan Images' "
-              exit 1
-          else
-              exit 0
-          fi
+      # https://github.com/aquasecurity/trivy-action/issues/389
+      - name: load and scan spiderpool-agent image
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
+        with:
+          input: test/.download/spiderpool-agent-trivy.tar
+          severity: 'CRITICAL,HIGH'
+
+      - name: load and scan spiderpool-controller image
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
+        with:
+          input: test/.download/spiderpool-controller-trivy.tar
+          severity: 'CRITICAL,HIGH'
diff --git a/Makefile b/Makefile
@@ -501,4 +501,3 @@ lint_chart_trivy:
 .PHONY: build-chart
 build-chart:
 	@ cd charts ; make
-
Original file line number	Diff line number	Diff line change
Expand Up		@@ -501,4 +501,3 @@ lint_chart_trivy:
		.PHONY: build-chart
		build-chart:
		@ cd charts ; make