Skip to content

Commit

Permalink
Rework trivy scanning in releases to upload report as an artifact
Browse files Browse the repository at this point in the history
Signed-off-by: Derek Nola <[email protected]>
  • Loading branch information
dereknola committed Oct 28, 2024
1 parent c0e7e1e commit adff014
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 31 deletions.
15 changes: 12 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,18 @@ jobs:
- name: Scan Images
continue-on-error: true
run: |
dapper -f Dockerfile --target dapper make scan-images
# This is a temporary workaround until the base image is updated
# in the Dockerfile to include the new trivy version that supports VEX
run: |
docker run --rm -v "$(pwd)/build:/build" -v "$(pwd):/workspace" \
-w /workspace rancher/hardened-build-base:v1.22.8b2 \
make scan-images
- name: Upload Scan Results
uses: actions/upload-artifact@v4
with:
name: release-trivy-scan
path: trivy_scan_report.txt

- name: Test
run: |
dapper -f Dockerfile --target dapper make test
Expand Down
58 changes: 30 additions & 28 deletions scripts/scan-images
Original file line number Diff line number Diff line change
Expand Up @@ -2,35 +2,37 @@

cd $(dirname $0)/..

EXITCODE=0
SCAN_OUTPUT="scan.json"
SCAN_OUTPUT="trivy_scan_report.txt"
rm "$SCAN_OUTPUT"

# Download the Rancher OpenVEX Trivy report
curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json

for IMAGE in $(cat build/images*.txt); do
echo -e "\nScanning ${IMAGE}"
trivy image \
--format json \
--output ${SCAN_OUTPUT} \
--exit-code 1 \
--security-checks vuln \
--severity ${SEVERITIES:-CRITICAL,HIGH} \
--ignore-unfixed \
--no-progress \
--quiet \
${IMAGE}
RC=$?
if [ ${RC} -gt ${EXITCODE} ]; then
EXITCODE=${RC}
fi
if [ ${RC} -gt 0 ]; then
echo -e "\nSev\tPackage\tVulnID\tInstalled\tFixed"
jq -rc 'try .Results[].Vulnerabilities[] | "\(.Severity)\t\(.PkgName)\t\(.VulnerabilityID)\t\(.InstalledVersion)\t\(.FixedVersion)"' ${SCAN_OUTPUT} | sort
fi
echo
rm ${SCAN_OUTPUT}
echo "Scanning image: $IMAGE"

# Run Trivy scan and append the report to the output file
trivy image "${IMAGE}" -q --no-progress \
--severity ${SEVERITIES:-CRITICAL,HIGH} \
--ignore-unfixed --show-suppressed \
--vex rancher.openvex.json >> "$SCAN_OUTPUT"

if [ "$1" = "dump-report" ]; then
trivy image "${IMAGE}" -q --no-progress \
--severity ${SEVERITIES:-CRITICAL,HIGH} \
--ignore-unfixed \
-f json \
--exit-code 1 \
--vex rancher.openvex.json > "temp.json"
RC=$?
if [ ${RC} -gt 0 ]; then
echo -e "\nSev\tPackage\tVulnID\tInstalled\tFixed"
jq -rc '.Results[].Vulnerabilities | select( . != null ) | .[] | "\(.Severity)\t\(.PkgName)\t\(.VulnerabilityID)\t\(.InstalledVersion)\t\(.FixedVersion)"' "temp.json" | sort
echo
fi
fi
done

if [ ${EXITCODE} -gt 0 ]; then
echo "VULNERABILITIES FOUND"
fi

exit ${EXITCODE}
rm rancher.openvex.json
[ "$1" = "dump-report" ] && rm temp.json
echo "Trivy scan completed. Reports are saved in $SCAN_OUTPUT."

0 comments on commit adff014

Please sign in to comment.