Commit b48ea205 authored by nimrod's avatar nimrod
Browse files

fixup! scan: Scan images daily for vulnerabilities.

parent 6dbef841
Loading
Loading
Loading
Loading
Loading
+6 −14
Original line number Diff line number Diff line
@@ -58,22 +58,14 @@ scan:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan"
  stage: deploy
  tags: [ns4.shore.co.il]
  image: docker.io/docker:dind
  image: registry.shore.co.il/ci-images:docker
  before_script:
    - >-
      docker build
      --tag "${CI_PROJECT_NAME}:scan"
      --pull
      scan
    - apk add --update curl jq
  script:
    - mkdir --mode=777 output
    - >-
      docker run
      --env CI_JOB_URL
      --rm
      --volume "${PWD}/output:/output"
      "${CI_PROJECT_NAME}:scan"
    - cd scan
    - mkdir output
    - ./scan
  artifacts:
    paths:
      - output/*.log
      - scan/output/*.log
  timeout: 2h

scan/.dockerignore

deleted100644 → 0
+0 −3
Original line number Diff line number Diff line
*
!scan
!*.yaml

scan/Dockerfile

deleted100644 → 0
+0 −15
Original line number Diff line number Diff line
FROM registry.shore.co.il/ci-images:docker
# hadolint ignore=DL3018
RUN apk add --update --no-cache \
        curl \
        jq \
    && \
    install -d -o root -g root -m 755 /etc/trivy && \
    install -d -o root -g root -m 777 /output
COPY --chown=root:root scan /usr/local/bin/
COPY --chown=root:root trivy*.yaml /etc/trivy/
VOLUME /output
WORKDIR /etc/trivy
CMD ["scan"]
USER nobody
ENV HOME /tmp
+18 −4
Original line number Diff line number Diff line
@@ -3,6 +3,19 @@ set -eu

REGISTRY=registry.shore.co.il

die() {
    echo "$@" >&2
    exit 1
}

blue () {
    printf '\e[1;94m%s\e[0m\n' "$@" >&2
}

green () {
    printf '\e[1;92m%s\e[0m\n' "$@" >&2
}

red () {
    printf '\e[1;91m%s\e[0m\n' "$@" >&2
}
@@ -22,7 +35,7 @@ scan () {
    local tag
    image="$1"
    tag="$2"
    if ! trivy image --output="/output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}"
    if ! trivy image --output="output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}"
    then
        if [ -z "${CI_JOB_URL:-}" ]
        then
@@ -32,7 +45,7 @@ scan () {
        fi
        echo
    else
        red "No vulnerabilities found in ${image}:${tag}."
        green "No vulnerabilities found in ${image}:${tag}."
    fi
}

@@ -41,19 +54,20 @@ do
    command -v "$tool" >/dev/null || die "$tool is missing."
done

red "Updating the vulnerability database."
blue "Updating the vulnerability database."
trivy image \
    --config=/dev/null \
    --download-db-only \
    --no-progress \
    --skip-version-check \
    ;
mkdir --parents output

for image in $(list_images)
do
    for tag in $(list_tags "$image")
    do
        red "Scanning ${image}:${tag}."
        blue "Scanning ${image}:${tag}."
        scan "$image" "$tag"
    done
done
+1 −0
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@
exit-code: 1
ignorefile: trivyignore.yaml
quiet: true
timeout: 1h

db:
  no-progress: true