add squash layers back in, add trivy

ci-scripts/download-trivy

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -euo pipefail
+
+TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+echo "$TRIVY_VERSION"
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+trivy_dir="${SCRIPT_DIR}/trivy"
+rm -rf $trivy_dir
+mkdir $trivy_dir
+cd $trivy_dir
+wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O - | tar -zxvf -
+
+cp "${SCRIPT_DIR}/junit.tpl" "${SCRIPT_DIR}/trivy/contrib/"

ci-scripts/gitlab-ci.template

@@ -127,6 +127,66 @@ test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
   retry: 1
 {% endfor %}
 
+######################################
+# Vulnerability Scans                #
+######################################
+{% for IMAGE in multiImages %}
+scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
+  stage: scan
+  when: always
+  script:
+    - apk add bash
+    - (cd ci-scripts && bash download-trivy)
+    - bash ci/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
+  {% if FILE_LIMITS %}only:
+    changes:
+      {% for FILE in files %}- {{ FILE }}
+      {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
+      {% endfor %}{% endif %}
+  except:
+    variables:
+      - $README_USERNAME
+      - $README_PASSWORD
+      - $DOCKERHUB_REVERT
+      - $REVERT_IS_ROLLING
+  needs:
+    - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
+  when: on_success
+  tags:
+    - oci-fixed-amd
+  retry: 1
+  parallel:
+    matrix:
+      - ARCH: [ "x86_64", "aarch64" ]
+{% endfor %}
+
+{% for IMAGE in singleImages %}
+scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
+  stage: scan
+  when: always
+  script:
+    - apk add bash
+    - (cd ci-scripts && bash download-trivy)
+    - bash ci/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
+  {% if FILE_LIMITS %}only:
+    changes:
+      {% for FILE in files %}- {{ FILE }}
+      {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
+      {% endfor %}{% endif %}
+  except:
+    variables:
+      - $README_USERNAME
+      - $README_PASSWORD
+      - $DOCKERHUB_REVERT
+      - $REVERT_IS_ROLLING
+  needs:
+    - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
+  when: on_success
+  tags:
+    - oci-fixed-amd
+  retry: 1
+{% endfor %}
+
 ############################################
 # Manifest Containers if their test passed #
 ############################################

ci-scripts/junit.tpl

@@ -0,0 +1,31 @@
+<?xml version="1.0" ?>
+<testsuites name="trivy">
+{{- range . -}}
+{{- $failures := len .Vulnerabilities }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Vulnerabilities }}
+        <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" file="{{ if .FixedVersion -}} Upgrade to {{ .FixedVersion }} {{- else -}} No solution provided  {{- end }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
+            <{{ if .FixedVersion -}}error{{- else -}}skipped{{- end }}  message="{{ escapeXML .Title }}" type="description">Upgrade {{ .PkgName }} to {{ .FixedVersion }} - {{ escapeXML .Description }}</{{ if .FixedVersion -}}error{{- else -}}skipped{{- end }}>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- $failures := len .Misconfigurations }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Misconfigurations }}
+        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+            <error message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</error>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- end }}
+</testsuites>

ci-scripts/scan

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eo pipefail
+
+build_report() {
+  $trivy_cmd --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target"
+  #$trivy_cmd --exit-code 0 --format json -o "$source_dir/report.json" "$target"
+}
+
+print_report_and_fail_on_vulnerabilities() {
+  $trivy_cmd --exit-code 1 "$target"
+}
+
+scan_cmd="$1"
+target="$2"
+if [[ -z "$scan_cmd" || -z "$target" ]]; then
+  echo >&2 "Usage: $(basename "$0") <repo|image> <target>"
+  exit 1
+fi
+
+case "$scan_cmd" in
+  repo) options="--scanners config,secret,vuln" ;;
+  image) options="--scanners vuln" ;;
+  *) options="--scanners vuln,config,secret" ;;
+esac
+
+set -u
+set -x
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+trivy_dir="${SCRIPT_DIR}/trivy"
+trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --cache-dir $HOME/.trivycache $options"
+source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
+
+build_report
+#print_report_and_fail_on_vulnerabilities

dockerfile-kasm-core

@@ -172,8 +172,8 @@ COPY ./src/ubuntu/install/cleanup $INST_SCRIPTS/cleanup/
 RUN bash $INST_SCRIPTS/cleanup/cleanup.sh && rm -rf $INST_SCRIPTS/cleanup/
 
 #### Runtime Stage ####
-#FROM scratch
-#COPY --from=base_layer / /
+FROM scratch
+COPY --from=base_layer / /
 
 ### Labels
 LABEL "org.opencontainers.image.authors"='Kasm Tech "info@kasmweb.com"'