Skip to content

fix(ci): fix Trivy grep reading wrong stdin in scan scripts#395

Open
mdryaan wants to merge 1 commit into
kubeslice:masterfrom
mdryaan:fix/trivy-script-grep-stdin-bug
Open

fix(ci): fix Trivy grep reading wrong stdin in scan scripts#395
mdryaan wants to merge 1 commit into
kubeslice:masterfrom
mdryaan:fix/trivy-script-grep-stdin-bug

Conversation

@mdryaan

@mdryaan mdryaan commented May 23, 2026

Copy link
Copy Markdown

Description

Both base-image-critical.sh and binary-image-critical.sh used a while read -r line loop that redirected the scan file to the loop's stdin. Inside the loop, grep -o "CRITICAL: [0-9]*" received no file argument, so it consumed from that same shared stdin — not from $line, which was never passed to it. The CRITICAL summary was consumed by read on the first iteration; grep saw nothing and returned empty. $sum was always 0 and the security gate never triggered regardless of actual CVE counts.

Fixed by removing the while read loop entirely and passing the scan file directly to grep as a file argument. All matches are captured in one pass; the
existing for i in $x loop sums them correctly.

Fixes #394

How Has This Been Tested?

  • Created /tmp/final.txt containing CRITICAL: 5, HIGH: 12, MEDIUM: 3, LOW: 1
  • Old code: base image critical value is 0 — gate does not fire (bug confirmed)
  • Fixed script: base image critical value is 5 + CRITICAL vulnerabilities found + Exit code: 1 — gate fires correctly (fix verified)

- The before line: OLD: base image critical value is 0 (expected 5)

Screenshot 2026-05-24 044753

- The after lines: base image critical value is 5 + CRITICAL vulnerabilities found + Exit code: 1

Screenshot 2026-05-24 044816

Checklist:

  • The title of the PR states what changed and the related issues number (used for the release note).
  • Does this PR requires documentation updates? — No.
  • I've updated documentation as required by this PR.
  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas. — N/A.
  • I have tested it for all user roles. — N/A (CI script change).
  • I have added all the required unit test cases.

Does this PR introduce a breaking change for other components like worker-operator?

No

Fix Trivy CRITICAL vulnerability scan always reporting 0 — grep now reads the scan file directly instead of consuming the wrong stdin

Signed-off-by: mdryaan <alikhurshid4u@gmail.com>
@mdryaan mdryaan requested a review from that-backend-guy as a code owner May 23, 2026 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Trivy security gate always reports 0 CRITICAL vulnerabilities

1 participant