Skip to content

ci: adjust scanner actions #454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NARSimoes merged 1 commit into from
Mar 20, 2026
Merged

ci: adjust scanner actions #454

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 0 additions & 39 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,25 +104,6 @@ jobs:
- name: ci/build-docker
run: make build-image

- name: ci/scan-docker-security
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
continue-on-error: true
with:
image-ref: "mattermost/mattermost-operator:test"
format: "sarif"
limit-severities-for-sarif: true # https://github.com/aquasecurity/trivy-action/blob/0.9.1/entrypoint.sh#L172
output: "trivy-results.sarif"
exit-code: "0"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"

- name: ci/create-trivy-results-report
# if: failure()
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.29.5
with:
sarif_file: "trivy-results.sarif"

- name: ci/setup-buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
with:
Expand Down Expand Up @@ -170,26 +151,6 @@ jobs:
if: ${{ env.ENABLE_FIPS_BUILDS == 'true' }}
run: make build-image-fips

- name: ci/scan-docker-security-fips
if: ${{ env.ENABLE_FIPS_BUILDS == 'true' }}
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
continue-on-error: true
with:
image-ref: "mattermost/mattermost-operator-fips:test"
format: "sarif"
limit-severities-for-sarif: true
output: "trivy-results-fips.sarif"
exit-code: "0"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"

- name: ci/create-trivy-results-report-fips
if: ${{ env.ENABLE_FIPS_BUILDS == 'true' }}
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.29.5
with:
sarif_file: "trivy-results-fips.sarif"

- name: ci/setup-buildx
if: ${{ env.ENABLE_FIPS_BUILDS == 'true' }}
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
Expand Down
9 changes: 0 additions & 9 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,6 @@ TARGET_ARCH ?= amd64
BUNDLE_IMG ?= controller-bundle:$(VERSION) # Default bundle image tag
CRD_OPTIONS ?= "crd" # Image URL to use all building/pushing image targets

TRIVY_SEVERITY := CRITICAL
TRIVY_EXIT_CODE := 1
TRIVY_VULN_TYPE := os,library

################################################################################

# Options for 'bundle-build'
Expand Down Expand Up @@ -301,11 +297,6 @@ bundle: operator-sdk manifests ## Generate bundle manifests and metadata, then v
bundle-build: ## Build the bundle image.
docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) .

## Checks for vulnerabilities
trivy: build-image
@echo running trivy
@trivy image --format table --exit-code $(TRIVY_EXIT_CODE) --ignore-unfixed --vuln-type $(TRIVY_VULN_TYPE) --severity $(TRIVY_SEVERITY) $(OPERATOR_IMAGE)

## --------------------------------------
## Tooling Binaries
## --------------------------------------
Expand Down
Loading