Merge pull request #726 from erikwilson/image-scan

Add full image scan to Drone CI (#714)
rancher · Feb 24, 2021 · d62f0c7 · d62f0c7
2 parents 4c1f873 + bab1f34
commit d62f0c7
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 20 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -9,16 +9,25 @@ platform:
 
 steps:
 - name: build-and-package
-  image: rancher/dapper:v0.5.3
+  image: rancher/dapper:v0.5.5
   commands:
   - docker pull --quiet rancher/hardened-build-base:v1.15.8b5
   - dapper -f Dockerfile --target dapper make dapper-ci
   volumes:
   - name: docker
     path: /var/run/docker.sock
 
+- name: scan
+  image: rancher/dapper:v0.5.5
+  failure: ignore
+  commands:
+  - dapper -f Dockerfile --target dapper make scan-images
+  volumes:
+  - name: docker
+    path: /var/run/docker.sock
+
 - name: test
-  image: rancher/dapper:v0.5.0
+  image: rancher/dapper:v0.5.5
   secrets: [ gcloud_auth ]
   environment:
     GCLOUD_AUTH:
@@ -197,7 +206,7 @@ platform:
 
 steps:
 - name: dispatch
-  image: rancher/dapper:v0.5.0
+  image: rancher/dapper:v0.5.5
   commands:
   - dapper -f Dockerfile --target dapper make dispatch
   environment:

diff --git a/Dockerfile b/Dockerfile
@@ -19,7 +19,7 @@ ENV ARCH $DAPPER_HOST_ARCH
 ENV DAPPER_OUTPUT ./dist ./bin ./build
 ENV DAPPER_DOCKER_SOCKET true
 ENV DAPPER_TARGET dapper
-ENV DAPPER_RUN_ARGS "--privileged --network host -v rke2-pkg:/go/pkg -v rke2-cache:/root/.cache/go-build"
+ENV DAPPER_RUN_ARGS "--privileged --network host -v rke2-pkg:/go/pkg -v rke2-cache:/root/.cache/go-build -v trivy-cache:/root/.cache/trivy"
 RUN if [ "${ARCH}" = "amd64" ] || [ "${ARCH}" = "arm64" ]; then \
         VERSION=0.19.0 OS=linux && \
         curl -sL "https://github.com/vmware-tanzu/sonobuoy/releases/download/v${VERSION}/sonobuoy_${VERSION}_${OS}_${ARCH}.tar.gz" | \
@@ -36,6 +36,16 @@ RUN set -x \
  && apk --no-cache add \
     jq \
     python2
+RUN VERSION=0.16.0 && \
+    if [ "${ARCH}" = "arm64" ]; then \
+    wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-ARM64.tar.gz && \
+    tar -zxvf trivy_${VERSION}_Linux-ARM64.tar.gz && \
+    mv trivy /usr/local/bin; \
+    else \
+    wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && \
+    tar -zxvf trivy_${VERSION}_Linux-64bit.tar.gz && \
+    mv trivy /usr/local/bin; \
+    fi
 WORKDIR /source
 # End Dapper stuff
 

diff --git a/Makefile b/Makefile
@@ -31,6 +31,10 @@ binary:                             	## Build only the binary using host go tool
 build-debug:                             ## Debug build using host go tools
 	GODEBUG=y ./scripts/build-binary
 
+.PHONY: scan-images
+scan-images:
+	./scripts/scan-images
+
 .PHONY: build-images
 build-images:                             ## Build all images and image tarballs (including airgap)
 	./scripts/build-images

diff --git a/scripts/scan-image-kubernetes b/scripts/scan-image-kubernetes
diff --git a/scripts/scan-images b/scripts/scan-images
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+cd $(dirname $0)/..
+
+EXITCODE=0
+for IMAGE in $(cat build/images.txt); do
+  echo -e "\nScanning ${IMAGE}"
+  trivy image \
+    --format json \
+    --output trivy.json \
+    --exit-code 1 \
+    --severity ${SEVERITIES:-HIGH,CRITICAL} \
+    --no-progress \
+    --ignore-unfixed \
+    ${IMAGE}
+  RC=$?
+  if [ ${RC} -gt ${EXITCODE} ]; then
+    EXITCODE=${RC}
+  fi
+  if [ ${RC} -gt 0 ]; then
+    echo -e "\nSev\tPackage\tVulnID\tInstalled\tFixed"
+    jq -rc '.[0].Vulnerabilities[] | "\(.Severity)\t\(.PkgName)\t\(.VulnerabilityID)\t\(.InstalledVersion)\t\(.FixedVersion)"' trivy.json
+  fi
+  echo
+  rm trivy.json
+done
+
+if [ ${EXITCODE} -gt 0 ]; then
+  echo "VULNERABILITIES FOUND"
+fi
+
+exit ${EXITCODE}