fix(vhd-scanning): install trivy from PMC with version pinning and Renovate tracking#8248
Open
fix(vhd-scanning): install trivy from PMC with version pinning and Renovate tracking#8248
Conversation
djsly
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the VHD post-build scanning script to stop downloading Trivy from GitHub releases and instead install it via the OS package manager (PMC-backed), then run scans using the system trivy binary.
Changes:
- Removed hardcoded Trivy version/arch and the GitHub
curl/tarinstall flow. - Added
install_trivy()to install Trivy viaapt(Ubuntu) ordnf(AzureLinux/Mariner). - Switched scan invocations from
./trivytotrivyand removed the local binary cleanup.
djsly
changed the title
…novate tracking - Install trivy from Microsoft PMC prod repo for Ubuntu (apt) and AzureLinux (dnf) instead of downloading from GitHub releases - Pin to a specific version (TRIVY_VERSION) tracked by Renovate via the custom.deb2404 PMC datasource with deb versioning - Version is extracted (base version without deb suffix) and used for: - apt version pinning: trivy=<base_version>* - dnf version pinning: trivy-<base_version> - GitHub fallback for unsupported SKUs (CBLMariner, Flatcar, etc.) - Add dedicated Renovate custom manager for trivy-scan.sh with a working regex that correctly captures all annotation fields - Add Renovate package rule to assign trivy updates to the team Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
awesomenix
approved these changes
Apr 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
trivy-scan.shdownloaded trivy directly from GitHub releases with a hardcodedTRIVY_VERSION=0.69.2, bypassing package management and subject to rate limiting. The version was not tracked by Renovate.Changes
trivy-scan.sh
apt_get_installwith version pinning (trivy=<base_version>*) from the pre-existing Microsoft PMC prod repo on the VHD. Each Ubuntu version has its own Renovate-tracked variable:TRIVY_DEB_2004_VERSION→ tracked viacustom.deb2004(Ubuntu 20.04 / focal)TRIVY_DEB_2204_VERSION→ tracked viacustom.deb2204(Ubuntu 22.04 / jammy)TRIVY_DEB_2404_VERSION→ tracked viacustom.deb2404(Ubuntu 24.04 / noble)dnf_installwith full NEVR pinning (trivy-0.68.2-7.azl3) from the cloud-native PMC repo (enabled viainstallDeps)TRIVY_RPM_VERSION→ tracked viarpmdatasource withregistryUrlpointing to AzureLinux 3.0 cloud-native repodataTRIVY_DEB_2404_VERSION./trivy→trivy(PMC installs to PATH);rm -f ./trivyis no-op for PMC, cleanup for fallback.github/renovate.json
trivy-scan.shsupporting deb annotations (withversioning) and rpm annotations (withregistryUrl) via optional named capture groupsHow Renovate tracking works
When PMC publishes a new trivy version:
custom.deb2004, updatesTRIVY_DEB_2004_VERSIONcustom.deb2204, updatesTRIVY_DEB_2204_VERSIONcustom.deb2404, updatesTRIVY_DEB_2404_VERSIONrpmdatasource against cloud-native repodata, updatesTRIVY_RPM_VERSIONNote: trivy is intentionally NOT in
components.jsonsince it is a scan-only binary used during VHD scanning, not a component cached on VHDs.