Skip to content

Add volume for trivy #1955

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 24, 2025
Merged

Add volume for trivy #1955

merged 1 commit into from
Aug 24, 2025

Conversation

hasanawad94
Copy link
Contributor

@hasanawad94 hasanawad94 commented Jul 31, 2025
edited
Loading

Breaking the changes of #1885 into smaller prs to make review easier in the effort of better security practices for the containers that are used for the build process.

Changes

Added env variables for trivy to configure writing to volumes instead of the root filesystem.
Added a utility function AppendWriteableVolumes to be used for appending volumes to steps.

Volumes introduced to trivy:

  • volume for trivy cache
  • volume for tmp data

Set env variables:

  • TRIVY_CACHE_DIR
  • TMPDIR

Submitter Checklist

  • Includes tests if functionality changed/was added
  • Includes docs if changes are user-facing
  • Set a kind label on this PR
  • Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

Added volumes and config for trivy to enable its cache and tmp data to be on a volume instead of root filesystem.

@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 31, 2025
@openshift-ci openshift-ci bot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jul 31, 2025
@openshift-ci openshift-ci bot requested review from qu1queee and rxinui July 31, 2025 09:01
@hasanawad94 hasanawad94 changed the title Make image-processing fs readonly Add volume for trivy Jul 31, 2025
@hasanawad94
Copy link
Contributor Author

/release-note

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 31, 2025

@hasanawad94: the /release-note and /release-note-action-required commands have been deprecated.
Please edit the release-note block in the PR body text to include the release note. If the release note requires additional action include the string action required in the release note. For example:

```release-note
Some release note with action required.
```

In response to this:

/release-note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hasanawad94 hasanawad94 marked this pull request as draft July 31, 2025 14:59
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 31, 2025
@pull-request-size pull-request-size bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 31, 2025
@openshift-ci openshift-ci bot added release-note Label for when a PR has specified a release note and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 31, 2025
@hasanawad94 hasanawad94 marked this pull request as ready for review July 31, 2025 16:30
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 31, 2025
@openshift-ci openshift-ci bot requested review from apoorvajagtap and dorzel July 31, 2025 16:30
rxinui
rxinui reviewed Aug 17, 2025
View reviewed changes
Copy link

@rxinui rxinui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One possible improvement otherwise it lgtm.

@hasanawad94 hasanawad94 requested a review from rxinui August 18, 2025 09:57
@adambkaplan
Copy link
Member

Documenting the "bigger picture" request here: #1969

@hasanawad94
Copy link
Contributor Author

@rxinui , @adambkaplan looks OK and safe to merge ?

@rxinui
Copy link

rxinui commented Aug 21, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 21, 2025
@hasanawad94 @SaschaSchwarze0
Add volumes for trivy
201b75a 
Added env variables for trivy to configure writing to volumes instead of the root filesystem.
Added a utility function `AppendWriteableVolumes` to be used for appending volumes to steps.

Volumes introduced to trivy:
- volume for trivy cache
- volume for tmp data

Set env variables:
- TRIVY_CACHE_DIR
- TMPDIR

Signed-off-by: Hasan Awad <[email protected]>
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Aug 24, 2025
@SaschaSchwarze0 SaschaSchwarze0 added this to the release-v0.17.0 milestone Aug 24, 2025
SaschaSchwarze0
SaschaSchwarze0 approved these changes Aug 24, 2025
View reviewed changes
Copy link
Member

@SaschaSchwarze0 SaschaSchwarze0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 24, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 24, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SaschaSchwarze0

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 24, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit cf757e1 into shipwright-io:main Aug 24, 2025
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SaschaSchwarze0 SaschaSchwarze0 SaschaSchwarze0 approved these changes

@qu1queee qu1queee Awaiting requested review from qu1queee

@apoorvajagtap apoorvajagtap Awaiting requested review from apoorvajagtap

@dorzel dorzel Awaiting requested review from dorzel

@rxinui rxinui Awaiting requested review from rxinui

Assignees

@rxinui rxinui

@SaschaSchwarze0 SaschaSchwarze0

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Label for when a PR has specified a release note size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
Shipwright Overview
Status: Done
Milestone
release-v0.17.0
Development

Successfully merging this pull request may close these issues.
4 participants
@hasanawad94 @adambkaplan @rxinui @SaschaSchwarze0