From b51a8c7106447687df61b0eb8c78dfc62c6ac12a Mon Sep 17 00:00:00 2001 From: Maxim Konovalenko Date: Fri, 23 Jan 2026 11:44:11 +0300 Subject: [PATCH 1/3] Fix trivy table log output Signed-off-by: Maxim Konovalenko --- .docs/cve_scan.md | 1 + cve_scan/action.yml | 20 ++++++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/.docs/cve_scan.md b/.docs/cve_scan.md index e7bafd5..2ed91d5 100644 --- a/.docs/cve_scan.md +++ b/.docs/cve_scan.md @@ -21,6 +21,7 @@ release_branch - Optional. Set minor version of release you want to scan. e.g.: scan_several_lastest_releases - Optional. Whether to scan last several releases or not. true/false. For scheduled pipelines it is always true. Default is: false. latest_releases_amount - Optional. Number of latest releases to scan. Default is: 3 severity - Optional. Vulnerabilities severity to scan. Default is: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL +TRIVY_REPORTS_LOG_OUTPUT - 0 - no output, 1 - only CVE, 2 - CVE & License. Output Trivy reports into CI job log, default - 2 ``` ### Job level diff --git a/cve_scan/action.yml b/cve_scan/action.yml index 934f0b7..5e0e91c 100644 --- a/cve_scan/action.yml +++ b/cve_scan/action.yml @@ -52,6 +52,9 @@ inputs: module_dev_registry_custom_path: description: 'Module custom path in dev registry. Example: flant/modules' required: false + trivy_reports_log_output: + description: '0 - no output, 1 - only CVE, 2 - CVE & License. Output Trivy reports into CI job log, default - 2' + required: false runs: using: "composite" @@ -76,6 +79,7 @@ runs: SEVERITY: "${{inputs.severity || 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'}}" MODULE_PROD_REGISTRY_PATH: "${{inputs.module_prod_registry_custom_path || 'deckhouse/fe/modules'}}" MODULE_DEV_REGISTRY_PATH: "${{inputs.module_dev_registry_custom_path || 'sys/deckhouse-oss/modules'}}" + TRIVY_REPORTS_LOG_OUTPUT: "${{inputs.trivy_reports_log_output || '2'}}" run: | echo "Creating workdir" workdir="trivy_scan" @@ -296,22 +300,26 @@ runs: IMAGE_HASH="$(jq -rc '.value' <<< "$line")" if [ "$additional_image_detected" == true ]; then - if [ "${TRIVY_REPORTS_LOG_OUTPUT}" != "false" ]; then + if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -ne 0 ]; then # CVE Scan trivy_scan "table" "--scanners vuln" "" "${module_image}:${module_tag}" - # License scan - trivy_scan "table" "--scanners license --license-full" "" "${module_image}:${module_tag}" + if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -eq 2 ]; then + # License scan + trivy_scan "table" "--scanners license --license-full" "" "${module_image}:${module_tag}" + fi fi # CVE Scan trivy_scan "json" "--scanners vuln" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${module_image}:${module_tag}" # License scan trivy_scan "json" "--scanners license --license-full" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${module_image}:${module_tag}" else - if [ "${TRIVY_REPORTS_LOG_OUTPUT}" != "false" ]; then + if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -ne 0 ]; then # CVE Scan trivy_scan "table" "--scanners vuln" "" "${module_image}@${IMAGE_HASH}" - # License scan - trivy_scan "table" "--scanners license --license-full" "" "${module_image}@${IMAGE_HASH}" + if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -eq 2 ]; then + # License scan + trivy_scan "table" "--scanners license --license-full" "" "${module_image}@${IMAGE_HASH}" + fi fi # CVE Scan trivy_scan "json" "--scanners vuln" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${module_image}@${IMAGE_HASH}" From 0b09b54b098ec1ce99a854f72bf6f3151c58986b Mon Sep 17 00:00:00 2001 From: Maxim Konovalenko Date: Thu, 19 Feb 2026 15:33:48 +0300 Subject: [PATCH 2/3] tmp_remove_lcense_scan Signed-off-by: Maxim Konovalenko --- cve_scan/action.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cve_scan/action.yml b/cve_scan/action.yml index 5e0e91c..8ff49c9 100644 --- a/cve_scan/action.yml +++ b/cve_scan/action.yml @@ -305,31 +305,31 @@ runs: trivy_scan "table" "--scanners vuln" "" "${module_image}:${module_tag}" if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -eq 2 ]; then # License scan - trivy_scan "table" "--scanners license --license-full" "" "${module_image}:${module_tag}" + # trivy_scan "table" "--scanners license --license-full" "" "${module_image}:${module_tag}" fi fi # CVE Scan trivy_scan "json" "--scanners vuln" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${module_image}:${module_tag}" # License scan - trivy_scan "json" "--scanners license --license-full" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${module_image}:${module_tag}" + # trivy_scan "json" "--scanners license --license-full" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${module_image}:${module_tag}" else if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -ne 0 ]; then # CVE Scan trivy_scan "table" "--scanners vuln" "" "${module_image}@${IMAGE_HASH}" if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -eq 2 ]; then # License scan - trivy_scan "table" "--scanners license --license-full" "" "${module_image}@${IMAGE_HASH}" + # trivy_scan "table" "--scanners license --license-full" "" "${module_image}@${IMAGE_HASH}" fi fi # CVE Scan trivy_scan "json" "--scanners vuln" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${module_image}@${IMAGE_HASH}" # License scan - trivy_scan "json" "--scanners license --license-full" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${module_image}@${IMAGE_HASH}" + # trivy_scan "json" "--scanners license --license-full" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${module_image}@${IMAGE_HASH}" fi echo " Done" send_report "CVE" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${MODULE_NAME}" "${IMAGE_NAME}" - send_report "License" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${MODULE_NAME}" "${IMAGE_NAME}" + # send_report "License" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${MODULE_NAME}" "${IMAGE_NAME}" done < <(jq -rc 'to_entries[]' <<< "${digests}") done rm -r ${workdir} From 2d18ec553d37527640587bfa3aa139ba9e208634 Mon Sep 17 00:00:00 2001 From: Maxim Konovalenko Date: Fri, 20 Feb 2026 11:17:49 +0300 Subject: [PATCH 3/3] fix tmp remove license Signed-off-by: Maxim Konovalenko --- cve_scan/action.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cve_scan/action.yml b/cve_scan/action.yml index 8ff49c9..ac0a45d 100644 --- a/cve_scan/action.yml +++ b/cve_scan/action.yml @@ -303,10 +303,10 @@ runs: if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -ne 0 ]; then # CVE Scan trivy_scan "table" "--scanners vuln" "" "${module_image}:${module_tag}" - if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -eq 2 ]; then - # License scan - # trivy_scan "table" "--scanners license --license-full" "" "${module_image}:${module_tag}" - fi + # if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -eq 2 ]; then + # # License scan + # trivy_scan "table" "--scanners license --license-full" "" "${module_image}:${module_tag}" + # fi fi # CVE Scan trivy_scan "json" "--scanners vuln" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${module_image}:${module_tag}" @@ -316,10 +316,10 @@ runs: if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -ne 0 ]; then # CVE Scan trivy_scan "table" "--scanners vuln" "" "${module_image}@${IMAGE_HASH}" - if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -eq 2 ]; then - # License scan - # trivy_scan "table" "--scanners license --license-full" "" "${module_image}@${IMAGE_HASH}" - fi + # if [ "${TRIVY_REPORTS_LOG_OUTPUT}" -eq 2 ]; then + # # License scan + # trivy_scan "table" "--scanners license --license-full" "" "${module_image}@${IMAGE_HASH}" + # fi fi # CVE Scan trivy_scan "json" "--scanners vuln" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${module_image}@${IMAGE_HASH}"