Add kube version argument (#118)

* Add option to specify Kube version and not use default of 1.20 * Update readme * add missing colon
equinixmetal-buildkite · Jan 14, 2025 · 52cf2f7 · 52cf2f7
1 parent 0a1e50b
commit 52cf2f7
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -167,6 +167,10 @@ To pass helm override values to trivy config scan
 
 Enable debug flag for trivy.
 
+### `kube-version` (Optional, string)
+
+Sets the `helm-kube-version` passed to trivy.
+
 ## Developing
 
 To run the tests:

diff --git a/hooks/post-command b/hooks/post-command
@@ -112,6 +112,11 @@ if [[ "${BUILDKITE_PLUGIN_TRIVY_IGNORE_UNFIXED:-false}" == true ]] ; then
   echo "ignore-unfixed is set. Will ignore unfixed vulnerabilities"
 fi
 
+if [[ -n "${BUILDKITE_PLUGIN_TRIVY_KUBE_VERSION:-}" ]] ; then
+  fsargs+=("--helm-kube-version" "${BUILDKITE_PLUGIN_TRIVY_KUBE_VERSION}")
+  echo "using non-default kube-version"
+fi
+
 if [[ -n "${BUILDKITE_PLUGIN_TRIVY_SCANNERS:-}" ]] ; then
   fsargs+=("--scanners" "${BUILDKITE_PLUGIN_TRIVY_SCANNERS}")
   echo "using $BUILDKITE_PLUGIN_TRIVY_SCANNERS scanners"

diff --git a/plugin.yml b/plugin.yml
@@ -34,4 +34,6 @@ configuration:
       type: string
     debug:
       type: boolean
+    kube-version:
+      type: string
   additionalProperties: false
diff --git a/tests/post-command.bats b/tests/post-command.bats
@@ -369,3 +369,21 @@ default_exit_code="--exit-code 1"
   unstub docker
   unstub buildkite-agent
 }
+
+@test "fs scan of a test app with kube-version 1.21" {
+  export BUILDKITE_PLUGIN_TRIVY_KUBE_VERSION="1.21"
+
+  stub trivy "fs $default_exit_code --helm-kube-version $BUILDKITE_PLUGIN_TRIVY_KUBE_VERSION --scanners vuln,misconfig . : echo fs scan success"
+  stub buildkite-agent "annotate --style success \"trivy didn't find any relevant vulnerabilities in the repository<br />\" --context trivy-fs-scan : echo fs scan success" \
+    "annotate --style success \"No container image was scanned due to a lack of an image reference. This is fine.<br />\" --context trivy-container-scan : echo no image scan happened" \
+
+  run "$PWD/hooks/post-command"
+
+  assert_success
+  assert_output --partial "scanning filesystem"
+  assert_output --partial "fs scan success"
+  assert_output --partial "no image scan happened"
+
+  unstub trivy
+  unstub buildkite-agent
+}