[CI] Add Trivy vulnerables check #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy images check | |
| env: | |
| MODULES_MODULE_NAME: ${{ vars.RENAMED_MODULE_NAME }} | |
| MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| on: | |
| pull_request: | |
| jobs: | |
| test: | |
| name: Trivy images check | |
| runs-on: [self-hosted, regular] | |
| steps: | |
| - name: Detect platform and install Trivy | |
| run: | | |
| if [[ "$RUNNER_OS" == "Linux" ]]; then | |
| OS=$(grep '^ID=' /etc/os-release | cut -d '=' -f 2 | tr -d '"') | |
| if [[ "$OS" == "ubuntu" ]] || [[ "$OS" == "debian" ]]; then | |
| VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name") | |
| wget https://github.com/aquasecurity/trivy/releases/download/$VERSION/trivy_$VERSION_Linux-64bit.deb | |
| sudo dpkg -i trivy_$VERSION_Linux-64bit.deb | |
| elif [[ "$OS" == "rhel" ]] || [[ "$OS" == "centos" ]] || [[ "$OS" == "fedora" ]] || [[ "$OS" == "redos" ]]; then | |
| VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name") | |
| wget https://github.com/aquasecurity/trivy/releases/download/$VERSION/trivy_$VERSION_Linux-64bit.rpm | |
| sudo rpm -ivh trivy_$VERSION_Linux-64bit.rpm | |
| else | |
| echo "Unsupported Linux distribution" | |
| exit 1 | |
| fi | |
| else | |
| echo "Unsupported OS" | |
| exit 1 | |
| fi | |
| - name: Run Trivy vulnerability scanner in image mode | |
| run: | | |
| success=1 | |
| image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME | |
| image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER | |
| crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]' | while read -r item; do | |
| key=$(echo "$item" | jq -r '.key') | |
| value=$(echo "$item" | jq -r '.value') | |
| echo 'Checking image '$key' '$value | |
| trivy image --quiet --format table $image_name@$value | |
| result=$(trivy image --quiet --format json $image_name@$value) | |
| vulnerabilities=$(echo "result" | jq '.Results[].Vulnerabilities | length' 2>/dev/null) | |
| if [ -z "vulnerabilities" ]; then | |
| echo "There are no vulnerabilities in image" | |
| else | |
| echo "There are vulnerabilities in image" | |
| success=0 | |
| fi | |
| done | |
| if [[ $success -eq 0 ]]; then | |
| exit 1 | |
| fi |