diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml index 41dd9ea..eb43f5c 100644 --- a/.woodpecker/build-container.yml +++ b/.woodpecker/build-container.yml @@ -24,7 +24,6 @@ steps: TRIVY_NO_PROGRESS: "true" TRIVY_SEVERITY: HIGH,CRITICAL TRIVY_TIMEOUT: 1m - TRIVY_SKIP_FILES: /usr/local/bin/gomplate,/usr/local/bin/helm,/usr/local/bin/polaris,/usr/local/bin/yq publish-dockerhub: group: container diff --git a/Containerfile.multiarch b/Containerfile.multiarch index c8d632f..f2589ba 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -59,7 +59,8 @@ RUN apk --update add curl tar bash python3 pipx findutils git && \ chmod 755 /usr/local/bin/kustomize && \ chmod 755 /usr/local/bin/kubeconform && \ rm -rf /var/cache/apk/* && \ - rm -rf /tmp/* + rm -rf /tmp/* && \ + rm -rf /root/.cache/ ADD overlay/ / diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000..3287627 --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,4 @@ +--- +allow-rules: + - id: aws-secret-access-key + path: .*/flux-local/.*/site-packages/GitPython-.*\.dist-info/METADATA diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..46bfe8e --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,7 @@ +--- +scan: + skip-files: + - /usr/local/bin/gomplate + - /usr/local/bin/helm + - /usr/local/bin/polaris + - /usr/local/bin/yq