2023-11-21 21:20:53 +01:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
|
|
set -eo pipefail
|
|
|
|
|
|
|
|
|
|
build_report() {
|
|
|
|
|
$trivy_cmd --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target"
|
|
|
|
|
#$trivy_cmd --exit-code 0 --format json -o "$source_dir/report.json" "$target"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
print_report_and_fail_on_vulnerabilities() {
|
|
|
|
|
$trivy_cmd --exit-code 1 "$target"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
scan_cmd="$1"
|
|
|
|
|
target="$2"
|
|
|
|
|
if [[ -z "$scan_cmd" || -z "$target" ]]; then
|
|
|
|
|
echo >&2 "Usage: $(basename "$0") <repo|image> <target>"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
case "$scan_cmd" in
|
|
|
|
|
repo) options="--scanners config,secret,vuln" ;;
|
|
|
|
|
image) options="--scanners vuln" ;;
|
|
|
|
|
*) options="--scanners vuln,config,secret" ;;
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
|
set -u
|
|
|
|
|
set -x
|
|
|
|
|
|
|
|
|
|
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
|
|
|
|
trivy_dir="${SCRIPT_DIR}/trivy"
|
2023-11-22 16:51:05 +01:00
|
|
|
trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-unfixed --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options"
|
2023-11-21 21:20:53 +01:00
|
|
|
source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
|
|
|
|
|
|
|
|
|
|
build_report
|
|
|
|
|
#print_report_and_fail_on_vulnerabilities
|
