Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
R
registry-docker
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
shore
registry-docker
Commits
b48ea205
Commit
b48ea205
authored
1 month ago
by
nimrod
Browse files
Options
Downloads
Patches
Plain Diff
fixup! scan: Scan images daily for vulnerabilities.
parent
6dbef841
No related branches found
No related tags found
No related merge requests found
Pipeline
#4665
passed
17 hours ago
Stage: deploy
Stage: .post
Changes
5
Pipelines
47
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
.gitlab-ci.yml
+6
-14
6 additions, 14 deletions
.gitlab-ci.yml
scan/.dockerignore
+0
-3
0 additions, 3 deletions
scan/.dockerignore
scan/Dockerfile
+0
-15
0 additions, 15 deletions
scan/Dockerfile
scan/scan
+18
-4
18 additions, 4 deletions
scan/scan
scan/trivy.yaml
+1
-0
1 addition, 0 deletions
scan/trivy.yaml
with
25 additions
and
36 deletions
.gitlab-ci.yml
+
6
−
14
View file @
b48ea205
...
...
@@ -58,22 +58,14 @@ scan:
-
if
:
$CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan"
stage
:
deploy
tags
:
[
ns4.shore.co.il
]
image
:
docker.io/
docker
:dind
image
:
registry.shore.co.il/ci-images:
docker
before_script
:
-
>-
docker build
--tag "${CI_PROJECT_NAME}:scan"
--pull
scan
-
apk add --update curl jq
script
:
-
mkdir --mode=777 output
-
>-
docker run
--env CI_JOB_URL
--rm
--volume "${PWD}/output:/output"
"${CI_PROJECT_NAME}:scan"
-
cd scan
-
mkdir output
-
./scan
artifacts
:
paths
:
-
output/*.log
-
scan/
output/*.log
timeout
:
2h
This diff is collapsed.
Click to expand it.
scan/.dockerignore
deleted
100644 → 0
+
0
−
3
View file @
6dbef841
*
!scan
!*.yaml
This diff is collapsed.
Click to expand it.
scan/Dockerfile
deleted
100644 → 0
+
0
−
15
View file @
6dbef841
FROM
registry.shore.co.il/ci-images:docker
# hadolint ignore=DL3018
RUN
apk add
--update
--no-cache
\
curl
\
jq
\
&&
\
install
-d
-o
root
-g
root
-m
755 /etc/trivy
&&
\
install
-d
-o
root
-g
root
-m
777 /output
COPY
--chown=root:root scan /usr/local/bin/
COPY
--chown=root:root trivy*.yaml /etc/trivy/
VOLUME
/output
WORKDIR
/etc/trivy
CMD
["scan"]
USER
nobody
ENV
HOME /tmp
This diff is collapsed.
Click to expand it.
scan/scan
+
18
−
4
View file @
b48ea205
...
...
@@ -3,6 +3,19 @@ set -eu
REGISTRY
=
registry.shore.co.il
die
()
{
echo
"
$@
"
>
&2
exit
1
}
blue
()
{
printf
'\e[1;94m%s\e[0m\n'
"
$@
"
>
&2
}
green
()
{
printf
'\e[1;92m%s\e[0m\n'
"
$@
"
>
&2
}
red
()
{
printf
'\e[1;91m%s\e[0m\n'
"
$@
"
>
&2
}
...
...
@@ -22,7 +35,7 @@ scan () {
local
tag
image
=
"
$1
"
tag
=
"
$2
"
if
!
trivy image
--output
=
"
/
output/
${
image
}
:
${
tag
}
.log"
"
${
REGISTRY
}
/
${
image
}
:
${
tag
}
"
if
!
trivy image
--output
=
"output/
${
image
}
:
${
tag
}
.log"
"
${
REGISTRY
}
/
${
image
}
:
${
tag
}
"
then
if
[
-z
"
${
CI_JOB_URL
:-}
"
]
then
...
...
@@ -32,7 +45,7 @@ scan () {
fi
echo
else
re
d
"No vulnerabilities found in
${
image
}
:
${
tag
}
."
g
re
en
"No vulnerabilities found in
${
image
}
:
${
tag
}
."
fi
}
...
...
@@ -41,19 +54,20 @@ do
command
-v
"
$tool
"
>
/dev/null
||
die
"
$tool
is missing."
done
red
"Updating the vulnerability database."
blue
"Updating the vulnerability database."
trivy image
\
--config
=
/dev/null
\
--download-db-only
\
--no-progress
\
--skip-version-check
\
;
mkdir
--parents
output
for
image
in
$(
list_images
)
do
for
tag
in
$(
list_tags
"
$image
"
)
do
red
"Scanning
${
image
}
:
${
tag
}
."
blue
"Scanning
${
image
}
:
${
tag
}
."
scan
"
$image
"
"
$tag
"
done
done
This diff is collapsed.
Click to expand it.
scan/trivy.yaml
+
1
−
0
View file @
b48ea205
...
...
@@ -2,6 +2,7 @@
exit-code
:
1
ignorefile
:
trivyignore.yaml
quiet
:
true
timeout
:
1h
db
:
no-progress
:
true
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment