diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml index 2ce38f1..eb43f5c 100644 --- a/.woodpecker/build-container.yml +++ b/.woodpecker/build-container.yml @@ -24,9 +24,6 @@ steps: TRIVY_NO_PROGRESS: "true" TRIVY_SEVERITY: HIGH,CRITICAL TRIVY_TIMEOUT: 1m - TRIVY_SKIP_FILES: >- - /usr/local/bin/gomplate, - /opt/pipx/venvs/ansible/lib/**/site-packages/ansible_collections/**/modules/*.py publish-dockerhub: group: container diff --git a/Containerfile.multiarch b/Containerfile.multiarch index d38d751..20f6b62 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -19,31 +19,19 @@ ENV PY_COLORS=1 ENV CARGO_NET_GIT_FETCH_WITH_CLI=true ENV ANSIBLE_FORCE_COLOR=true ENV USER=root -ENV PATH=/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin -ENV PIPX_HOME=/opt/pipx -ENV PIPX_BIN_DIR=/usr/local/bin COPY overlay/ / RUN apk add --update --no-cache --virtual .build-deps build-base libffi-dev musl-dev openssl-dev python3-dev cargo && \ - apk add --update --no-cache git openssh-client python3 pipx && \ + apk add --update --no-cache git openssh-client && \ + echo "Installing requirements ..." && \ + pip install -qq --no-cache-dir --upgrade pip && \ + pip install -qq --no-cache-dir boto boto3 botocore apache-libcloud hcloud \ + flaky passlib pytest pytest-testinfra && \ echo "Installing ansible 'v$ANSIBLE_VERSION' ..." && \ - pipx install --include-deps ansible=="$ANSIBLE_VERSION" && \ - echo "Installing molecule version '$MOLECULE_VERSION' ..." && \ - pipx inject --include-apps ansible molecule && \ - pipx inject --include-apps ansible pytest && \ - pipx inject ansible pytest-testinfra && \ - pipx inject ansible molecule-plugins[docker] && \ - pipx inject ansible molecule_hetznercloud && \ - pipx inject ansible boto && \ - pipx inject ansible boto3 && \ - pipx inject ansible botocore && \ - pipx inject ansible hcloud && \ - pipx inject ansible apache-libcloud && \ - pipx inject ansible pycrypto && \ - pipx inject ansible flaky && \ - pipx inject ansible passlib && \ - $PIPX_HOME/shared/bin/pip install -U pip setuptools && \ + pip install -qq --no-cache-dir ansible=="$ANSIBLE_VERSION" && \ + echo "Installing molecule version 'v$MOLECULE_VERSION' ..." && \ + pip install -qq --no-cache-dir molecule=="$MOLECULE_VERSION" molecule-plugins[docker] molecule_hetznercloud; \ apk del .build-deps && \ rm -rf /var/cache/apk/* && \ rm -rf /tmp/* && \ diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000..abca175 --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,6 @@ +--- +allow-rules: + - id: private-key + path: .*/ansible/.*/site-packages/ansible_collections/(community|google|netapp)/.*\.py + - id: aws-secret-access-key + path: .*/ansible/.*/site-packages/ansible_collections/amazon/.*\.py diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..e74b43b --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,4 @@ +--- +scan: + skip-files: + - /usr/local/bin/gomplate