From c0e5df30d536fad2926de407d3bf2d90361f457d Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Tue, 21 Apr 2026 22:50:32 -0300 Subject: [PATCH] ci(quality): use preloaded scanner image --- Jenkinsfile | 4 ++-- ci/Jenkinsfile.titan-iac | 4 ++-- dockerfiles/Dockerfile.quality-tools | 7 ++++++- services/logging/Jenkinsfile.data-prepper | 4 ++-- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 280c2d06..44f0d8f3 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -24,7 +24,7 @@ spec: - cat tty: true - name: quality-tools - image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-arm64 + image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64 command: - cat tty: true @@ -140,7 +140,7 @@ PY set -euo pipefail mkdir -p build set +e - trivy fs --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL . + trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL . trivy_rc=$? set -e if [ ! -s build/trivy-fs.json ]; then diff --git a/ci/Jenkinsfile.titan-iac b/ci/Jenkinsfile.titan-iac index 3e4e7734..2a93074e 100644 --- a/ci/Jenkinsfile.titan-iac +++ b/ci/Jenkinsfile.titan-iac @@ -23,7 +23,7 @@ spec: - cat tty: true - name: quality-tools - image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-arm64 + image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64 command: - cat tty: true @@ -139,7 +139,7 @@ PY set -euo pipefail mkdir -p build set +e - trivy fs --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL . + trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL . trivy_rc=$? set -e if [ ! -s build/trivy-fs.json ]; then diff --git a/dockerfiles/Dockerfile.quality-tools b/dockerfiles/Dockerfile.quality-tools index dbf217ac..754605b7 100644 --- a/dockerfiles/Dockerfile.quality-tools +++ b/dockerfiles/Dockerfile.quality-tools @@ -3,6 +3,7 @@ FROM debian:bookworm-slim ARG SONAR_SCANNER_VERSION=8.0.1.6346 ARG TRIVY_VERSION=0.70.0 +ENV TRIVY_CACHE_DIR=/opt/trivy-cache SHELL ["/bin/bash", "-o", "pipefail", "-c"] @@ -34,5 +35,9 @@ RUN set -eux; \ trivy --version; \ sonar-scanner -v -WORKDIR /workspace +RUN set -eux; \ + mkdir -p "${TRIVY_CACHE_DIR}"; \ + trivy image --download-db-only --cache-dir "${TRIVY_CACHE_DIR}"; \ + chmod -R a+rX "${TRIVY_CACHE_DIR}" +WORKDIR /workspace diff --git a/services/logging/Jenkinsfile.data-prepper b/services/logging/Jenkinsfile.data-prepper index fb9c0c50..8b075530 100644 --- a/services/logging/Jenkinsfile.data-prepper +++ b/services/logging/Jenkinsfile.data-prepper @@ -16,7 +16,7 @@ spec: - cat tty: true - name: quality-tools - image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-arm64 + image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64 command: - cat tty: true @@ -82,7 +82,7 @@ spec: set +e sonar-scanner "${args[@]}" | tee build/sonar-scanner.log sonar_rc=${PIPESTATUS[0]} - trivy fs --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL dockerfiles/Dockerfile.data-prepper services/logging/Jenkinsfile.data-prepper + trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL dockerfiles/Dockerfile.data-prepper services/logging/Jenkinsfile.data-prepper trivy_rc=$? set -e printf '%s\n' "${sonar_rc}" > build/sonarqube-analysis.rc