extern/workspaces-core-images
1
0
Fork 0
mirror of https://github.com/kasmtech/workspaces-core-images.git synced 2024-11-22 07:23:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
6eb404cdca
workspaces-core-images/ci-scripts/scan

43 lines
1.5 KiB
Bash
Raw Blame History

#!/bin/bash
set -eo pipefail
build_report() {
set +e
$trivy_cmd --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target"
RESULT=$?
set -e
if [ $RESULT -ne 0 ]; then
echo "Trivy command failed with default db, falling back to using ECR vuln db"
$trivy_cmd --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db:1 --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target"
fi
#$trivy_cmd --exit-code 0 --format json -o "$source_dir/report.json" "$target"
}
print_report_and_fail_on_vulnerabilities() {
$trivy_cmd --exit-code 1 "$target"
}
scan_cmd="$1"
target="$2"
if [[ -z "$scan_cmd" || -z "$target" ]]; then
echo >&2 "Usage: $(basename "$0") <repo|image> <target>"
exit 1
fi
case "$scan_cmd" in
repo) options="--scanners config,secret,vuln" ;;
image) options="--scanners vuln" ;;
*) options="--scanners vuln,config,secret" ;;
esac
set -u
set -x
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
trivy_dir="${SCRIPT_DIR}/trivy"
trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-status will_not_fix,fix_deferred --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" #--ignore-unfixed --severity HIGH,CRITICAL,MEDIUM
source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
build_report
#print_report_and_fail_on_vulnerabilities
Reference in New Issue View Git Blame Copy Permalink