ci(quality): use preloaded scanner image

2026-04-21 22:50:32 -03:00 · 2026-04-21 22:50:32 -03:00 · c0e5df30d5
commit c0e5df30d5
parent 79fbf2644b
4 changed files with 12 additions and 7 deletions
--- a/4
+++ b/4
@ -24,7 +24,7 @@ spec:
        - cat
      tty: true
    - name: quality-tools
-      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-arm64
+      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64
      command:
        - cat
      tty: true
@ -140,7 +140,7 @@ PY
            set -euo pipefail
            mkdir -p build
            set +e
-            trivy fs --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
+            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
            trivy_rc=$?
            set -e
            if [ ! -s build/trivy-fs.json ]; then
--- a/ci/Jenkinsfile.titan-iac
+++ b/ci/Jenkinsfile.titan-iac
@ -23,7 +23,7 @@ spec:
        - cat
      tty: true
    - name: quality-tools
-      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-arm64
+      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64
      command:
        - cat
      tty: true
@ -139,7 +139,7 @@ PY
            set -euo pipefail
            mkdir -p build
            set +e
-            trivy fs --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
+            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
            trivy_rc=$?
            set -e
            if [ ! -s build/trivy-fs.json ]; then
--- a/dockerfiles/Dockerfile.quality-tools
+++ b/dockerfiles/Dockerfile.quality-tools
@ -3,6 +3,7 @@ FROM debian:bookworm-slim

 ARG SONAR_SCANNER_VERSION=8.0.1.6346
 ARG TRIVY_VERSION=0.70.0
+ENV TRIVY_CACHE_DIR=/opt/trivy-cache

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

@ -34,5 +35,9 @@ RUN set -eux; \
  trivy --version; \
  sonar-scanner -v

-WORKDIR /workspace
+RUN set -eux; \
+  mkdir -p "${TRIVY_CACHE_DIR}"; \
+  trivy image --download-db-only --cache-dir "${TRIVY_CACHE_DIR}"; \
+  chmod -R a+rX "${TRIVY_CACHE_DIR}"

+WORKDIR /workspace
--- a/services/logging/Jenkinsfile.data-prepper
+++ b/services/logging/Jenkinsfile.data-prepper
@ -16,7 +16,7 @@ spec:
        - cat
      tty: true
    - name: quality-tools
-      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-arm64
+      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64
      command:
        - cat
      tty: true
@ -82,7 +82,7 @@ spec:
            set +e
            sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
            sonar_rc=${PIPESTATUS[0]}
-            trivy fs --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL dockerfiles/Dockerfile.data-prepper services/logging/Jenkinsfile.data-prepper
+            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL dockerfiles/Dockerfile.data-prepper services/logging/Jenkinsfile.data-prepper
            trivy_rc=$?
            set -e
            printf '%s\n' "${sonar_rc}" > build/sonarqube-analysis.rc