From fc286398f017af5ea6497560162480ba3151a2d2 Mon Sep 17 00:00:00 2001 From: Casey Waldren Date: Thu, 14 Mar 2024 11:22:44 -0700 Subject: [PATCH] ci: use explicit relay version tag in Trivy Scan step (#343) It appears that our Trivy step that runs on each PR was scanning the public image, rather than the locally built image related to the PR. --- .github/workflows/ci.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 13d78de1..5c4a1254 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,9 +59,16 @@ jobs: platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386 - name: Build Docker Images run: make products-for-release + - name: Get current Relay version + id: image-tag + run: + echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT - uses: aquasecurity/trivy-action@master with: - image-ref: launchdarkly/ld-relay:latest + # Using an explicit tag rather than ld-relay:latest to ensure we're scanning the local image that we just built. + # It's not clear why, but it seems goreleaser doesn't create the :latest tag when skipping the publish step + # as we do for CI, so the scan will end up checking the public image instead of the one we just built. + image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64 format: 'table' exit-code: '1' ignore-unfixed: true