fix(vhd-scanning): install trivy from PMC with version pinning and Renovate tracking#8248
Merged
fix(vhd-scanning): install trivy from PMC with version pinning and Renovate tracking#8248
Conversation
djsly
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the VHD post-build scanning script to stop downloading Trivy from GitHub releases and instead install it via the OS package manager (PMC-backed), then run scans using the system trivy binary.
Changes:
- Removed hardcoded Trivy version/arch and the GitHub
curl/tarinstall flow. - Added
install_trivy()to install Trivy viaapt(Ubuntu) ordnf(AzureLinux/Mariner). - Switched scan invocations from
./trivytotrivyand removed the local binary cleanup.
awesomenix
approved these changes
Apr 11, 2026
cameronmeissner
approved these changes
Apr 13, 2026
awesomenix
approved these changes
Apr 13, 2026
cameronmeissner
approved these changes
Apr 13, 2026
…novate tracking - Install trivy from Microsoft PMC prod repo for Ubuntu (apt) and AzureLinux (dnf) instead of downloading from GitHub releases - Pin to a specific version (TRIVY_VERSION) tracked by Renovate via the custom.deb2404 PMC datasource with deb versioning - Version is extracted (base version without deb suffix) and used for: - apt version pinning: trivy=<base_version>* - dnf version pinning: trivy-<base_version> - GitHub fallback for unsupported SKUs (CBLMariner, Flatcar, etc.) - Add dedicated Renovate custom manager for trivy-scan.sh with a working regex that correctly captures all annotation fields - Add Renovate package rule to assign trivy updates to the team Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
PMC trivy versions (e.g., 0.68.2) are Microsoft-internal builds that don't have matching GitHub release tags (upstream jumped from v0.26.0 to v0.69.2). The fallback install_trivy_from_github() was extracting the base version from TRIVY_DEB_2404_VERSION, causing 404 errors on Flatcar, ACL, and OSGuard SKUs. Add a dedicated TRIVY_GITHUB_VERSION variable pinned to an actual upstream release (0.69.2) with Renovate tracking via github-releases datasource. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…eb versions - Add SHA256 checksum verification for GitHub fallback downloads using upstream trivy_<version>_checksums.txt - Use full deb version strings (e.g., 0.68.2-ubuntu24.04u7) for apt pinning instead of stripping the distro suffix with %%-* - Remove glob wildcard from apt_get_install version pin Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove anujmaheshwari1, add mxj220, pdamianov-dev, SriHarsha001. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…den GitHub fallback - Replace individual user lists with Azure/aks-node-lifecycle GitHub team across all 6 Renovate package rules where nodesig members were listed - Add aquasecurity/trivy to trivy matchPackageNames for GitHub fallback coverage - Add explicit error handling (|| exit 1) to GitHub fallback download/verify steps Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Move the '# renovate:' comment for TRIVY_GITHUB_VERSION to be immediately above the variable assignment, which is the standard Renovate regex manager pattern. The descriptive comments are now above the annotation instead of between it and the version string. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
awesomenix
reviewed
Apr 16, 2026
awesomenix
reviewed
Apr 16, 2026
awesomenix
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes trivy installation for VHD scanning by using PMC packages with version pinning and Renovate tracking, replacing the previous direct GitHub download approach.
Changes
trivy-scan.sh
apt_get_installwith exact version pinning from the pre-existing Microsoft PMC prod repo on the VHD. Each Ubuntu version has its own Renovate-tracked variable:TRIVY_DEB_2004_VERSION→ tracked viacustom.deb2004(Ubuntu 20.04 / focal)TRIVY_DEB_2204_VERSION→ tracked viacustom.deb2204(Ubuntu 22.04 / jammy)TRIVY_DEB_2404_VERSION→ tracked viacustom.deb2404(Ubuntu 24.04 / noble)dnf_installwith full NEVR pinning (trivy-0.68.2-7.azl3) from the cloud-native PMC repoTRIVY_RPM_VERSION→ tracked viarpmdatasource withregistryUrlpointing to AzureLinux 3.0 cloud-native repodataTRIVY_GITHUB_VERSIONpinned to an actual upstream GitHub release (0.69.2), tracked viagithub-releasesdatasource. PMC versions (0.68.x) are Microsoft-internal builds with no matching GitHub release tags, so the fallback version must be tracked independently.trivy__checksums.txt|| exit 1)./trivy→trivy(PMC installs to PATH).github/renovate.json
trivy-scan.shsupporting deb annotations (withversioning) and rpm annotations (withregistryUrl) via optional named capture groups. Also tracksTRIVY_GITHUB_VERSIONvia the standardgithub-releasesdatasource.trivy(PMC) andaquasecurity/trivy(GitHub fallback), assigns toAzure/aks-node-lifecycleteamAzure/aks-node-lifecycleGitHub team across all 6 Renovate package rules previously using manual user entriesHow Renovate tracking works
When PMC publishes a new trivy version:
custom.deb2004, updatesTRIVY_DEB_2004_VERSIONcustom.deb2204, updatesTRIVY_DEB_2204_VERSIONcustom.deb2404, updatesTRIVY_DEB_2404_VERSIONrpmdatasource against cloud-native repodata, updatesTRIVY_RPM_VERSIONgithub-releases, updatesTRIVY_GITHUB_VERSIONAzure/aks-node-lifecycleteam reviews and merges