fix: sbom-generate — image anchore/syft officielle + versions pinnées
ci/woodpecker/push/woodpecker Pipeline failed
ci/woodpecker/push/woodpecker Pipeline failed
- anchore/syft:v1.42.3 (remplace alpine:3.20 + curl-install latest) - aquasec/trivy:0.69.3 (remplace :latest) - Source explicite docker:g1flux:latest pour éviter le bug d'auto-détection Syft dans un container Woodpecker Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
syoul
+5
-5
@@ -45,20 +45,20 @@ steps:
|
||||
|
||||
# Etape 4a : Generation SBOM (Syft) depuis l'image locale
|
||||
# NOTE: volumes + pas de from_secret : compatible
|
||||
# Utilise l'image officielle anchore/syft pour eviter le bug d'auto-detection
|
||||
# de container (signal Go imprime en adresse memoire sur alpine + curl install)
|
||||
- name: sbom-generate
|
||||
image: alpine:3.20
|
||||
image: anchore/syft:v1.42.3
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
commands:
|
||||
- apk add --no-cache curl
|
||||
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
|
||||
- mkdir -p .reports
|
||||
- syft g1flux:latest -o cyclonedx-json --file .reports/sbom-app.cyclonedx.json
|
||||
- syft packages docker:g1flux:latest -o cyclonedx-json=.reports/sbom-app.cyclonedx.json
|
||||
- echo "SBOM genere"
|
||||
|
||||
# Etape 4b : Scan CVE (Trivy) depuis le SBOM
|
||||
- name: sbom-scan
|
||||
image: aquasec/trivy:latest
|
||||
image: aquasec/trivy:0.69.3
|
||||
volumes:
|
||||
- /home/syoul/trivy-cache:/root/.cache/trivy
|
||||
commands:
|
||||
|
||||
Reference in New Issue
Block a user