fixup! scan: Scan images daily for vulnerabilities.

.gitlab-ci.yml

@@ -58,22 +58,14 @@ scan:
     - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan"
   stage: deploy
   tags: [ns4.shore.co.il]
-  image: docker.io/docker:dind
+  image: registry.shore.co.il/ci-images:docker
   before_script:
-    - >-
-      docker build
-      --tag "${CI_PROJECT_NAME}:scan"
-      --pull
-      scan
+    - apk add --update curl jq
   script:
-    - mkdir --mode=777 output
-    - >-
-      docker run
-      --env CI_JOB_URL
-      --rm
-      --volume "${PWD}/output:/output"
-      "${CI_PROJECT_NAME}:scan"
+    - cd scan
+    - mkdir output
+    - ./scan
   artifacts:
     paths:
-      - output/*.log
+      - scan/output/*.log
   timeout: 2h

scan/.dockerignore

-*
-!scan
-!*.yaml

scan/Dockerfile

-FROM registry.shore.co.il/ci-images:docker
-# hadolint ignore=DL3018
-RUN apk add --update --no-cache \
-        curl \
-        jq \
-    && \
-    install -d -o root -g root -m 755 /etc/trivy && \
-    install -d -o root -g root -m 777 /output
-COPY --chown=root:root scan /usr/local/bin/
-COPY --chown=root:root trivy*.yaml /etc/trivy/
-VOLUME /output
-WORKDIR /etc/trivy
-CMD ["scan"]
-USER nobody
-ENV HOME /tmp

scan/scan

@@ -3,6 +3,19 @@ set -eu
 
 REGISTRY=registry.shore.co.il
 
+die() {
+    echo "$@" >&2
+    exit 1
+}
+
+blue () {
+    printf '\e[1;94m%s\e[0m\n' "$@" >&2
+}
+
+green () {
+    printf '\e[1;92m%s\e[0m\n' "$@" >&2
+}
+
 red () {
     printf '\e[1;91m%s\e[0m\n' "$@" >&2
 }
@@ -22,7 +35,7 @@ scan () {
     local tag
     image="$1"
     tag="$2"
-    if ! trivy image --output="/output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}"
+    if ! trivy image --output="output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}"
     then
         if [ -z "${CI_JOB_URL:-}" ]
         then
@@ -32,7 +45,7 @@ scan () {
         fi
         echo
     else
-        red "No vulnerabilities found in ${image}:${tag}."
+        green "No vulnerabilities found in ${image}:${tag}."
     fi
 }
 
@@ -41,19 +54,20 @@ do
     command -v "$tool" >/dev/null || die "$tool is missing."
 done
 
-red "Updating the vulnerability database."
+blue "Updating the vulnerability database."
 trivy image \
     --config=/dev/null \
     --download-db-only \
     --no-progress \
     --skip-version-check \
     ;
+mkdir --parents output
 
 for image in $(list_images)
 do
     for tag in $(list_tags "$image")
     do
-        red "Scanning ${image}:${tag}."
+        blue "Scanning ${image}:${tag}."
         scan "$image" "$tag"
     done
 done

scan/trivy.yaml

@@ -2,6 +2,7 @@
 exit-code: 1
 ignorefile: trivyignore.yaml
 quiet: true
+timeout: 1h
 
 db:
   no-progress: true