Skip to content

fix(vhd-scanning): install trivy via PMC with GitHub fallback for unsupported SKUs#8248

Open
djsly wants to merge 5 commits intomainfrom
djsly/37444537
Open

fix(vhd-scanning): install trivy via PMC with GitHub fallback for unsupported SKUs#8248
djsly wants to merge 5 commits intomainfrom
djsly/37444537

Conversation

@djsly
Copy link
Copy Markdown
Collaborator

@djsly djsly commented Apr 7, 2026
edited by Copilot AI
Loading

trivy-scan.sh downloaded trivy directly from GitHub releases with a hardcoded TRIVY_VERSION=0.69.2, bypassing package management and subject to rate limiting.

Changes

  • PMC install for Ubuntu: adds Microsoft PMC prod repo (packages.microsoft.com/ubuntu/${os_version}/prod) with modern gpg --dearmor + signed-by= keyring; GPG key download wrapped in retrycmd_if_failure
  • PMC install for AzureLinux: delegates to sourced dnf_install (from cse_helpers_mariner.sh via provision_source_distro.sh) which includes dnf_makecache on retry
  • GitHub fallback for SKUs without PMC packages (CBLMariner, Flatcar, AzureContainerLinux, AzureLinuxOSGuard): preserves original curl/tar flow, version configurable via TRIVY_VERSION env var (default 0.69.2)
  • Scan invocations changed from ./trivytrivy; rm -f ./trivy at end is a no-op for PMC installs, cleanup for fallback
install_trivy() {
    case "$os_sku" in
        Ubuntu)      # apt via PMC prod repo + gpg --dearmor keyring
        AzureLinux)  # dnf_install 5 1 60 trivy  (sourced, includes makecache)
        *)           # GitHub release download (CBLMariner, Flatcar, ACL, OSGuard)
    esac
}

Copilot AI review requested due to automatic review settings April 7, 2026 22:07
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the VHD post-build scanning script to stop downloading Trivy from GitHub releases and instead install it via the OS package manager (PMC-backed), then run scans using the system trivy binary.

Changes:

  • Removed hardcoded Trivy version/arch and the GitHub curl/tar install flow.
  • Added install_trivy() to install Trivy via apt (Ubuntu) or dnf (AzureLinux/Mariner).
  • Switched scan invocations from ./trivy to trivy and removed the local binary cleanup.

@djsly
fix(vhd-scanning): install trivy from PMC instead of GitHub download
278ea8e 
Replace the direct GitHub curl download of trivy with OS-native package
manager install (apt-get for Ubuntu, dnf for AzureLinux/Mariner).

Changes:
- Remove hardcoded TRIVY_VERSION and TRIVY_ARCH variables
- Add install_trivy() function using OS package managers (PMC)
- Replace ./trivy references with trivy (installed to PATH)
- Remove manual binary cleanup (rm ./trivy)
- Keep GO_ARCH detection for vuln-to-kusto-vhd binary

This eliminates GitHub rate-limiting issues and manual version bumps,
leveraging the trivy packages already available on PMC.

AB#37444537

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@djsly
fix: add GitHub fallback for trivy install on unsupported SKUs
60bb722 
- Ubuntu: install from PMC prod repo (deb packages)
- AzureLinux: install from PMC via dnf (azlinux3 RPMs)
- CBLMariner, Flatcar, AzureContainerLinux, AzureLinuxOSGuard:
  fall back to GitHub release download (no PMC packages available)
- Restore rm -f ./trivy cleanup for the GitHub fallback path

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 7, 2026 23:08
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

@djsly
fix: add retry wrappers for trivy install paths
d134162 
- GitHub fallback: wrap curl with retrycmd_if_failure 5 10 60
- AzureLinux: add dnf_install helper with retry/timeout (matches
  apt_get_install pattern)
- Ubuntu: already uses apt_get_install with retries

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@djsly
fix: use modern GPG key management and configurable fallback version
181f532 
- Ubuntu: replace deprecated apt-key with gpg --dearmor + signed-by
- Ubuntu: use /etc/os-release instead of lsb_release for codename
- Ubuntu: ensure ca-certificates, curl, gnupg are installed first
- GitHub fallback: make version configurable via TRIVY_VERSION env var

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 8, 2026 01:06
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

@djsly
refactor: reuse sourced dnf_install and add retry to GPG key download
8b944ea 
- Remove local dnf_install() that shadowed the already-sourced helper
  from provision_source_distro.sh (cse_helpers_mariner.sh), which includes
  dnf_makecache on retry for better reliability
- Wrap Ubuntu GPG key download with retrycmd_if_failure for network
  resilience (curl to temp file, then gpg --dearmor)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@djsly
Copy link
Copy Markdown
Collaborator Author

djsly commented Apr 8, 2026

@copilot can you review

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 8, 2026

@copilot can you review

The current state of the code looks good to me. Here's my review summary:

✅ All CI checks passing (validate-pull-request-source, golangci-lint, Lint Shell/Bash Scripts, Go Unit Tests, Shell/Bash Script Unit Tests, Validate Components, etc.)

✅ No new shellcheck issues — the only warnings (SC2034 BLOB_URL unused, SC2068/SC2145 in the pre-existing retrycmd_if_failure echo) are all pre-existing.

dnf_install 5 1 60 trivy correctly uses the function sourced from provision_source_distro.shcse_helpers_mariner.sh, which has the expected signature retries wait_sleep timeout ...packages and calls dnf_makecache on retry.

✅ Ubuntu PMC path — uses modern gpg --dearmor + signed-by= approach; gnupg installed before use; /etc/apt/keyrings created idempotently; GPG key download wrapped in retrycmd_if_failure 5 10 60.

✅ GitHub fallbacktrivy binary extracted to $(pwd)/trivy; export PATH="$(pwd):$PATH" at line 211 makes it resolvable as trivy for all scan commands; TRIVY_VERSION is configurable via env var (defaults to 0.69.2); rm -f ./trivy at the end is a safe no-op for PMC installs and cleans up the GitHub-downloaded binary.

repo_codename detection via ${UBUNTU_CODENAME:-$VERSION_CODENAME} from /etc/os-release handles all supported Ubuntu versions (20.04/22.04/24.04).

No issues found — LGTM! 🚀

Copilot AI changed the title fix(vhd-scanning): install trivy from PMC instead of GitHub download fix(vhd-scanning): install trivy via PMC with GitHub fallback for unsupported SKUs Apr 8, 2026
Copilot finished work on behalf of djsly April 8, 2026 01:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cameronmeissner cameronmeissner Awaiting requested review from cameronmeissner cameronmeissner is a code owner

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok is a code owner

@Devinwong Devinwong Awaiting requested review from Devinwong Devinwong is a code owner

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997 junjiezhang1997 is a code owner

@phealy phealy Awaiting requested review from phealy phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 is a code owner

@timmy-wright timmy-wright Awaiting requested review from timmy-wright timmy-wright is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey is a code owner

@awesomenix awesomenix Awaiting requested review from awesomenix awesomenix is a code owner

@mxj220 mxj220 Awaiting requested review from mxj220 mxj220 is a code owner

@pdamianov-dev pdamianov-dev Awaiting requested review from pdamianov-dev pdamianov-dev is a code owner

@calvin197 calvin197 Awaiting requested review from calvin197 calvin197 is a code owner

@sulixu sulixu Awaiting requested review from sulixu sulixu is a code owner

@surajssd surajssd Awaiting requested review from surajssd surajssd is a code owner

@SriHarsha001 SriHarsha001 Awaiting requested review from SriHarsha001 SriHarsha001 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@djsly