You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In our current Aqua setup we build a custom trivy image with the aqua plugin included.
For installing the plugin we pin the version by specifying the release tag in the URL (supported by the go-getter lib).
We realized that the specified plugin version in the plugin.yaml is always the version which was released before the pinned release.
Currently when installing the plugin with the latest release tag we get the wrong version of the plugin installed, due to the wrong pinned version.
Install of version 0.123.3 will acutally install 0.121.2
The problem isn't that the master branch is not being latest, but rather than it's not possible to easily pin the version down to create appropriate docker images. https://github.com/aquasecurity/trivy-plugin-aqua/blob/v0.125.0/plugin.yaml#L3
↑ as you can see here, the tag is v0.125.0 but in the plugin.yaml it is still v0.124.2
which means, installing the plugin using
is not possible, as it will ALWAYS install the old one (v0.124.2) instead (because of the old plugin.yaml). This is due to the fact that the plugin.yaml is updated after the release, instead of it being with the release.
As mentioned in my first message, using
does solve the issue, but as you can imagine, pinning versions based on temporary branches is not really advised. So we went with a manual installation instead for the time being.
The question is, if it is intended that the plugin.yaml is updated with an pull request after a release has being made. I know that Github has a file limit of 50MB (100MB) and it recommends using releases (or LFS/BLOBs) instead; but we would like to have a reliable tag/release so we can pin the right version down using ?ref= and not with downloading it manually.
Hey hey ! 😄
In our current Aqua setup we build a custom trivy image with the aqua plugin included.
For installing the plugin we pin the version by specifying the release tag in the URL (supported by the go-getter lib).
We realized that the specified plugin version in the plugin.yaml is always the version which was released before the pinned release.
Currently when installing the plugin with the latest release tag we get the wrong version of the plugin installed, due to the wrong pinned version.
Install of version 0.123.3 will acutally install 0.121.2
See here:
https://github.com/aquasecurity/trivy-plugin-aqua/blob/v0.123.2/plugin.yaml#L3
Is this a desired release behavior or a release bug? :)
Kind regards
Felix
The text was updated successfully, but these errors were encountered: