verify trivy in build

anthony-nhs · anthony-nhs · commit 2b3b24e99b56 · 2026-03-20T17:56:22.000Z
diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml
@@ -33,6 +33,35 @@ jobs:
             echo "node_24_languages=$node_24_language_folders"
             echo "projects=$project_folders"
           } >> "$GITHUB_OUTPUT"
+  download_trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Install cosign
+        run: |
+          ./scripts/install_cosign.sh
+        env:
+          INSTALL_DIR: ${HOME}/.local/bin
+      - name: Get amd64 trivy
+        run: |
+          ./scripts/install_trivy.sh
+        env:
+          INSTALL_DIR: trivy_amd64
+          ARCH: 64bit
+      - name: Get arm64 trivy
+        run: |
+          ./scripts/install_trivy.sh
+        env:
+          INSTALL_DIR: trivy_arm64
+          ARCH: ARM64
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        name: Upload trivy
+        with:
+          name: "trivy"
+          path: |
+            trivy_amd64/trivy
+            trivy_arm64/trivy
+
   package_base_docker_image:
     uses: ./.github/workflows/build_multi_arch_image.yml
     with:
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -63,10 +63,14 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
-      - name: setup trivy
-        uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514
+      - name: Download trivy
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
-          version: v0.69.3
+          name: trivy
+      - name: setup trivy
+        run: |
+          sudo cp "trivy/trivy_${ARCH}/trivy" /usr/local/bin/
+          chmod +x /usr/local/bin/trivy
       - name: setup node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
diff --git a/scripts/install_trivy.sh b/scripts/install_trivy.sh
@@ -4,9 +4,13 @@ set -euo pipefail
 DEFAULT_INSTALL_DIR="/usr/local/bin"
 INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}"
 VERSION="v0.69.3"
+DEFAULT_ARCH="64bit"
+ARCH="${ARCH:-$DEFAULT_ARCH}"
+#trivy_0.69.3_Linux-64bit.tar.gz 
+#trivy_0.69.3_Linux-ARM64.tar.gz 
 RELEASE_NUMBER="${VERSION#v}"
 BASE_URL="https://github.com/aquasecurity/trivy/releases/download/${VERSION}"
-ARCHIVE="trivy_${RELEASE_NUMBER}_Linux-64bit.tar.gz"
+ARCHIVE="trivy_${RELEASE_NUMBER}_Linux-${ARCH}.tar.gz"
 BUNDLE="${ARCHIVE}.sigstore.json"
 CERT_IDENTITY="https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/${VERSION}"
 
@@ -53,9 +57,8 @@ cosign verify-blob-attestation "${ARCHIVE_PATH}" \
 
 echo "Sigstore verification passed"
 tar -xzf "${ARCHIVE_PATH}" -C "${TMP_DIR}"
+
 mkdir -p "$INSTALL_DIR"
 install -m 0755 "$TMP_DIR/trivy" "${INSTALL_DIR}/trivy"
 
-"${INSTALL_DIR}/trivy" version
-
 echo "trivy ${VERSION} installed to ${INSTALL_DIR}"
