Use Docker Hardened Image for Trivy with official image fallback#66
Use Docker Hardened Image for Trivy with official image fallback#66sketch0395 merged 2 commits intomainfrom
Conversation
…icial image fallback Co-authored-by: sketch0395 <33059841+sketch0395@users.noreply.github.com> Agent-Logs-Url: https://github.com/MetroStar/epyon/sessions/c4d0ad59-0140-4b26-bd46-7604d428af3a
There was a problem hiding this comment.
Pull request overview
This PR updates Epyon’s Trivy usage to prefer the Docker Hardened Image (dhi/trivy:latest) while retaining aquasec/trivy:latest as a fallback across scripts, workflows, and docs.
Changes:
- Added Trivy image selection logic in
run-trivy-scan.shand updated all Trivy runs to use the resolved image. - Updated scan-manifest tool version detection and GitHub Actions workflows to try
dhi/trivy:latestfirst with fallback. - Updated documentation to reflect the new default + fallback behavior.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| scripts/shell/run-trivy-scan.sh | Selects DHI Trivy image (with fallback) and uses it for all Trivy runs |
| scripts/shell/generate-scan-manifest.sh | Detects Trivy version via DHI first, then official fallback |
| .github/workflows/baseline-scan.yml | Pre-pulls DHI Trivy with official fallback |
| .github/workflows/epyon-scan.yml | Pre-pulls DHI Trivy with official fallback |
| README.md | Updates tool image table to show DHI Trivy + fallback |
| documentation/SCAN_MANIFEST_GUIDE.md | Updates Trivy version-detection example to include fallback |
| documentation/OFFLINE_AIR_GAPPED_SETUP.md | Adds dhi/trivy:latest to required offline images list |
Comments suppressed due to low confidence (1)
scripts/shell/run-trivy-scan.sh:145
DB_UPDATE_RESULT=$?is capturing the exit code oftee, not thedocker runTrivy invocation, because the command is piped. If the container fails to run (e.g., image missing/pull denied),teecan still exit 0 and the script will incorrectly report a successful DB update. Useset -o pipefail(at least around this pipeline) and/or capture thedocker runexit status via${PIPESTATUS[0]}so failures are detected reliably.
"${TRIVY_IMAGE}" \
image --download-db-only 2>&1 | tee -a "$SCAN_LOG"
DB_UPDATE_RESULT=$?
if [ $DB_UPDATE_RESULT -eq 0 ]; then
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -377,7 +377,8 @@ Manifests include hashes for: | |||
| Tool versions are detected by running Docker containers: | |||
|
|
|||
| ```bash | |||
There was a problem hiding this comment.
This fallback command uses || after a pipeline. In a default shell (without set -o pipefail), a failing docker run (or missing image) can still yield an overall success exit code because the last command in the pipeline (awk) often exits 0 on empty input, preventing the fallback from running. Consider rewriting the example to avoid pipelines in the || chain (or explicitly show set -o pipefail) so the documented fallback works as intended.
| ```bash | |
| ```bash | |
| set -o pipefail |
Trivy was hardcoded to use
aquasec/trivy:latest. This updates all Trivy invocations to preferdhi/trivy:latest(Docker Hardened Image) and fall back toaquasec/trivy:latestwhen unavailable.Changes
run-trivy-scan.sh— Adds image selection at startup: checks local cache first, then attempts to pulldhi/trivy:latest, falls back toaquasec/trivy:latest. All internal Trivydocker runcalls use the resolved${TRIVY_IMAGE}variable.generate-scan-manifest.sh— Trivy version detection triesdhi/trivy:latestfirst, falls back toaquasec/trivy:latest.baseline-scan.yml/epyon-scan.yml— Pre-pull step uses(docker pull dhi/trivy:latest || docker pull aquasec/trivy:latest).Docs (
README.md,OFFLINE_AIR_GAPPED_SETUP.md,SCAN_MANIFEST_GUIDE.md) — Updated to reflect DHI as primary image with official fallback.Original prompt
💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.