ci: remove custom hack, add support for trivyignore

This commit is contained in:
Stefan Reimer 2024-08-30 12:54:21 +00:00
parent ee27ba1774
commit 096e244171
2 changed files with 7 additions and 5 deletions

7
.trivyignore.yaml Normal file
View File

@ -0,0 +1,7 @@
secrets:
- id: gcp-service-account
paths:
- "/venv/lib/python*/site-packages/pulumi_aws/glue/connection.py"
- id: private-key
paths:
- "/venv/lib/python*/site-packages/pulumi_aws/glue/connection.py"

View File

@ -33,11 +33,6 @@ RUN curl -fsSL https://get.pulumi.com/ | sh -s -- --version $(pip show pulumi --
# minimal pulumi # minimal pulumi
RUN cd /root/.pulumi/bin && rm -f *dotnet *yaml *go *java && strip pulumi* || true RUN cd /root/.pulumi/bin && rm -f *dotnet *yaml *go *java && strip pulumi* || true
# Remove AWS keys from docstring to prevent trivy alerts later
RUN sed -i -e 's/AKIA.*//' \
/venv/lib/python${RUNTIME_VERSION}/site-packages/pulumi_aws/lightsail/bucket_access_key.py \
/venv/lib/python${RUNTIME_VERSION}/site-packages/pulumi_aws/glue/connection.py
# Now build the final runtime, incl. running rootless containers # Now build the final runtime, incl. running rootless containers
FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION} FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION}