From 0e2c6e09284f849e5b3075efa7e83b0ea238beec Mon Sep 17 00:00:00 2001
From: Ernest Wong <chuwon@microsoft.com>
Date: Tue, 1 Jun 2021 09:18:36 -0700
Subject: [PATCH] ci: enable binary scanning with trivy

Signed-off-by: Ernest Wong <chuwon@microsoft.com>
---
 .pipelines/templates/publish-images.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.pipelines/templates/publish-images.yaml b/.pipelines/templates/publish-images.yaml
index 08ba613bf..9fd89860d 100644
--- a/.pipelines/templates/publish-images.yaml
+++ b/.pipelines/templates/publish-images.yaml
@@ -21,12 +21,13 @@ steps:
   - script: make docker-build
     displayName: make docker-build
   - script: |
-      wget https://github.com/aquasecurity/trivy/releases/download/v0.18.0/trivy_0.18.0_Linux-64bit.tar.gz
-      tar zxvf trivy_0.18.0_Linux-64bit.tar.gz
+      wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.tar.gz
+      tar zxvf trivy_0.18.3_Linux-64bit.tar.gz
       # show all vulnerabilities in the logs
+      ./trivy image --reset
       for IMAGE_NAME in "proxy" "proxy-init" "webhook"; do
         ./trivy "${REGISTRY}/${IMAGE_NAME}:${IMAGE_VERSION}"
-        ./trivy --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL --vuln-type os "${REGISTRY}/${IMAGE_NAME}:${IMAGE_VERSION}" || exit 1
+        ./trivy --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL "${REGISTRY}/${IMAGE_NAME}:${IMAGE_VERSION}" || exit 1
       done
     displayName: Scan images
   - script: |