Skip to content

feat(harbor-scanner-trivy): iamguarded-compat add #76810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
developer-guy wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(harbor-scanner-trivy): iamguarded-compat add #76810

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 57 additions & 2 deletions harbor-scanner-trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package:
name: harbor-scanner-trivy
version: "0.34.1"
epoch: 1 # CVE-2025-61729
epoch: 2 # CVE-2025-61729
description: Use Trivy as a plug-in vulnerability scanner in the Harbor registry
copyright:
- license: Apache-2.0
Expand Down Expand Up @@ -29,7 +29,62 @@ pipeline:
packages: ./cmd/scanner-trivy
output: scanner-trivy

- uses: strip
# we should be following the version matrix in the official repo:
# https://github.com/goharbor/harbor-scanner-trivy#version-matrix
subpackages:
- name: ${{package.name}}-iamguarded-compat
description: "compat package with iamguarded/harbor-adapter-trivy image"
dependencies:
runtime:
- bash
- coreutils
- findutils
- gawk
- grep
- posix-libc-utils
- procps
- sed
- wolfi-baselayout
pipeline:
- uses: iamguarded/build-compat
with:
package: harbor-adapter-trivy
version: "2.14"
- runs: |
mkdir -p /opt/iamguarded/harbor-adapter-trivy/bin
chmod g+rwX /opt/iamguarded

# Create symlink for scanner-trivy binary
ln -sf /usr/bin/scanner-trivy /opt/iamguarded/harbor-adapter-trivy/bin/scanner-trivy

# Disable some commands used in iamguarded scripts. These commands more likely fail in this since this image take non root approach
sed -i 's/chown -R "$SCANNER_TRIVY_DAEMON_USER" "$dir"/# chown -R "$SCANNER_TRIVY_DAEMON_USER" "$dir"/g' /opt/iamguarded/scripts/harbor-adapter-trivy/postunpack.sh
sed -i 's/ensure_user_exists/# ensure_user_exists/g' /opt/iamguarded/scripts/harbor-adapter-trivy/postunpack.sh
- uses: iamguarded/finalize-compat
with:
package: harbor-adapter-trivy
version: "2.14"
test:
environment:
contents:
packages:
- ${{package.name}}
- wait-for-port
- wget
pipeline:
- uses: iamguarded/test-compat
with:
package: harbor-adapter-trivy
version: "2.14"
- name: Verify iamguarded symlinks work
runs: |
# Test scanner-trivy command through symlink - starts server, verify it listens on 8080
/opt/iamguarded/harbor-adapter-trivy/bin/scanner-trivy &
PID=$!
wait-for-port 8080
# Verify server is listening on port 8080
curl -sfL --retry 3 http://localhost:8080/probe/healthy
kill $PID

test:
pipeline:
Expand Down
Loading