refactor: one trivy report per container image #4596
Conversation
Pull Request Test Coverage Report for Build 10114792544Details
💛 - Coveralls |
| done | ||
|
|
||
| rm ./trivy | ||
| rm ./trivy |
There was a problem hiding this comment.
do we really need to delete trivy is the 1es agent will be destroyed ?
Are we reusing the same ADO agent between VHD build ? could we avoid redownloading it for every build in case we are reusing the same agent ?
There was a problem hiding this comment.
Wouldn't this be better for version update flow?
There was a problem hiding this comment.
Unless ado agent pickup's deterministic, I think cleaning up the binary may be a good idea.
| --container-name ${SIG_CONTAINER_NAME} \ | ||
| --name ${TRIVY_REPORT_NAME} \ | ||
| --name ${TRIVY_REPORT_ROOTFS_NAME} \ |
There was a problem hiding this comment.
can we avoid the extra var and align the setting to be in place like you did for the blob upload below ?
--name ${IMAGE_REPORT}-${BUILD_ID}-${TIMESTAMP}.json
vhdbuilder/packer/vhd-scanning.sh
Outdated
| @@ -93,6 +93,8 @@ az vm run-command invoke \ | |||
| TIMESTAMP=$(date +%s%3N) | |||
| TRIVY_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json" | |||
| TRIVY_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt" | |||
| #"TRIVY_REPORT_NAME=${TRIVY_REPORT_NAME}" \ | |||
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
731a8f7
to
b7f8aab
Compare
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
b7f8aab
to
4b31086
Compare
| "SIG_CONTAINER_NAME"=${SIG_CONTAINER_NAME} \ | ||
| "STORAGE_ACCOUNT_NAME"=${STORAGE_ACCOUNT_NAME} \ | ||
| "ENABLE_TRUSTED_LAUNCH"=${ENABLE_TRUSTED_LAUNCH} | ||
|
|
||
|
|
||
| az storage blob download-batch -d . --pattern "trivy-report-image-*-${BUILD_ID}-${TIMESTAMP}.json" -s ${SIG_CONTAINER_NAME} --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login |
There was a problem hiding this comment.
need to check batch works as expected
jason1028kr
requested review from
juan-lee,
cameronmeissner,
UtheMan,
ganeshkumarashok,
anujmaheshwari1,
AlisonB319,
Devinwong,
lilypan26,
ShiqianTao,
AbelHu and
junjiezhang1997
as code owners
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
4b31086
to
7788739
Compare
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
e446ae9
to
b38ac9c
Compare
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
bcfe68f
to
b7c3c8c
Compare
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
c218673
to
c92e4cd
Compare
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
23fa1a8
to
4f6cfb6
Compare
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
4f6cfb6
to
37182f8
Compare
jason1028kr
force-pushed
the
jasonjung/trivy-scan-edits
branch
from
37182f8
to
db5d999
Compare
| - task: CopyFiles@2 | ||
| condition: eq(variables['IS_NOT_1804'], 'true') | ||
| inputs: | ||
| SourceFolder: '$(System.DefaultWorkingDirectory)' | ||
| Contents: 'trivy-images-table.txt' |
There was a problem hiding this comment.
Should we remove the table.txt all together? Wondering if it would be useful in the future if someone is manually looking at a run. Or would they just view their test build scans in kusto? This is assuming that the table.txt would have all the information that is in all of the per-container jsons (correct me if that would not be the case)
There was a problem hiding this comment.
I see, we would still have an artifact for each container image scan. It's just that each appended table entry would be separated into individual json format. If you think having one table.txt file would be necessary, I can keep that logic on top of jsons.
What type of PR is this?
/kind refactor
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: