trivy_image_check.yaml

name: Trivy images check

env:
  MODULES_MODULE_NAME: ${{ vars.RENAMED_MODULE_NAME }}
  MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
  PR_NUMBER: ${{ github.event.pull_request.number }}

on:
  pull_request:

jobs:
  test:
    name: Trivy images check
    runs-on: [self-hosted, regular]

    steps:
      - name: Detect platform and install Trivy
        run: |
          if ! command -v trivy &> /dev/null; then
            echo "Trivy is not installed. Installing..."
            VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
            CLEAN_VERSION=${VERSION#v}
            OS=$(grep '^ID=' /etc/os-release | cut -d '=' -f 2 | tr -d '"')
          
            if [[ "$OS" == "ubuntu" ]] || [[ "$OS" == "debian" ]]; then
              wget https://github.com/aquasecurity/trivy/releases/download/$VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.deb -O trivy.deb
              sudo dpkg -i trivy.deb
            elif [[ "$OS" == "rhel" ]] || [[ "$OS" == "centos" ]] || [[ "$OS" == "fedora" ]] || [[ "$OS" == "redos" ]]; then
              wget https://github.com/aquasecurity/trivy/releases/download/$VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.rpm -O trivy.rpm
              sudo rpm -ivh trivy.rpm
            else
              echo "Unsupported Linux distribution: $OS"
              exit 1
            fi
          else
            echo "Trivy is already installed."
          fi

      - name: Run Trivy vulnerability scanner in image mode
        run: |
          success=1
          image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME
          image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER
          crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]' | while read -r item; do
            key=$(echo "$item" | jq -r '.key')
            value=$(echo "$item" | jq -r '.value')

            echo 'Checking image '$key' '$value

            trivy image --quiet --format table $image_name@$value

            result=$(trivy image --quiet --format json $image_name@$value)

            vulnerabilities=$(echo "result" | jq '.Results[].Vulnerabilities | length' 2>/dev/null)

            if [ -z "vulnerabilities" ]; then
              echo "There are no vulnerabilities in image"
            else
              echo "There are vulnerabilities in image"
              success=0
            fi
          done

          if [[ $success -eq 0 ]]; then
            exit 1
          fi