fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! perf: build frontend once on runner instead of in Docker

2026-06-05 22:53:53 +00:00 · 2026-01-04 03:18:49 +00:00
parent f86943b884
commit 3ecff61114
2 changed files with 22 additions and 5 deletions
@@ -93,24 +93,30 @@ data:
        low: {{ .Values.security.blockThresholds.low }}
      scanners:
        trivy:
-          enabled: {{ .Values.security.scanners.trivy.enabled }}
+          # Disabled in server config (no trivy binary), enabled via env var in scanner pod
+          enabled: false
          timeout: {{ .Values.security.scanners.trivy.timeout | quote }}
          cache_db: {{ .Values.security.scanners.trivy.cacheDb | quote }}
        osv:
+          # API-based scanner - works in both server and scanner pods
          enabled: {{ .Values.security.scanners.osv.enabled }}
          api_url: {{ .Values.security.scanners.osv.apiUrl | quote }}
          timeout: {{ .Values.security.scanners.osv.timeout | quote }}
        grype:
-          enabled: {{ .Values.security.scanners.grype.enabled }}
+          # Disabled in server config (no grype binary), enabled via env var in scanner pod
+          enabled: false
          timeout: {{ .Values.security.scanners.grype.timeout | quote }}
        govulncheck:
-          enabled: {{ .Values.security.scanners.govulncheck.enabled }}
+          # Disabled in server config (no go/govulncheck binary), enabled via env var in scanner pod
+          enabled: false
          timeout: {{ .Values.security.scanners.govulncheck.timeout | quote }}
        npm_audit:
-          enabled: {{ .Values.security.scanners.npmAudit.enabled }}
+          # Disabled in server config (no npm binary), enabled via env var in scanner pod
+          enabled: false
          timeout: {{ .Values.security.scanners.npmAudit.timeout | quote }}
        pip_audit:
-          enabled: {{ .Values.security.scanners.pipAudit.enabled }}
+          # Disabled in server config (no pip binary), enabled via env var in scanner pod
+          enabled: false
          timeout: {{ .Values.security.scanners.pipAudit.timeout | quote }}
        ghsa:
          enabled: {{ .Values.security.scanners.ghsa.enabled }}
@@ -109,6 +109,17 @@ spec:
        env:
        - name: CONFIG_FILE
          value: /etc/gohoarder/config.yaml
+        # Enable tool-based scanners only in scanner pod (server doesn't have the tools)
+        - name: GOHOARDER_SECURITY_SCANNERS_TRIVY_ENABLED
+          value: "{{ .Values.security.scanners.trivy.enabled }}"
+        - name: GOHOARDER_SECURITY_SCANNERS_GRYPE_ENABLED
+          value: "{{ .Values.security.scanners.grype.enabled }}"
+        - name: GOHOARDER_SECURITY_SCANNERS_GOVULNCHECK_ENABLED
+          value: "{{ .Values.security.scanners.govulncheck.enabled }}"
+        - name: GOHOARDER_SECURITY_SCANNERS_NPM_AUDIT_ENABLED
+          value: "{{ .Values.security.scanners.npmAudit.enabled }}"
+        - name: GOHOARDER_SECURITY_SCANNERS_PIP_AUDIT_ENABLED
+          value: "{{ .Values.security.scanners.pipAudit.enabled }}"
        {{- if and (eq .Values.metadata.backend "postgresql") .Values.metadata.postgresql.existingSecret }}
        - name: POSTGRES_USER
          valueFrom: