Skip to content
Snippets Groups Projects
Commit b48ea205 authored by nimrod's avatar nimrod
Browse files

fixup! scan: Scan images daily for vulnerabilities.

parent 6dbef841
No related branches found
No related tags found
No related merge requests found
Pipeline #4665 passed
......@@ -58,22 +58,14 @@ scan:
- if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan"
stage: deploy
tags: [ns4.shore.co.il]
image: docker.io/docker:dind
image: registry.shore.co.il/ci-images:docker
before_script:
- >-
docker build
--tag "${CI_PROJECT_NAME}:scan"
--pull
scan
- apk add --update curl jq
script:
- mkdir --mode=777 output
- >-
docker run
--env CI_JOB_URL
--rm
--volume "${PWD}/output:/output"
"${CI_PROJECT_NAME}:scan"
- cd scan
- mkdir output
- ./scan
artifacts:
paths:
- output/*.log
- scan/output/*.log
timeout: 2h
*
!scan
!*.yaml
FROM registry.shore.co.il/ci-images:docker
# hadolint ignore=DL3018
RUN apk add --update --no-cache \
curl \
jq \
&& \
install -d -o root -g root -m 755 /etc/trivy && \
install -d -o root -g root -m 777 /output
COPY --chown=root:root scan /usr/local/bin/
COPY --chown=root:root trivy*.yaml /etc/trivy/
VOLUME /output
WORKDIR /etc/trivy
CMD ["scan"]
USER nobody
ENV HOME /tmp
......@@ -3,6 +3,19 @@ set -eu
REGISTRY=registry.shore.co.il
die() {
echo "$@" >&2
exit 1
}
blue () {
printf '\e[1;94m%s\e[0m\n' "$@" >&2
}
green () {
printf '\e[1;92m%s\e[0m\n' "$@" >&2
}
red () {
printf '\e[1;91m%s\e[0m\n' "$@" >&2
}
......@@ -22,7 +35,7 @@ scan () {
local tag
image="$1"
tag="$2"
if ! trivy image --output="/output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}"
if ! trivy image --output="output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}"
then
if [ -z "${CI_JOB_URL:-}" ]
then
......@@ -32,7 +45,7 @@ scan () {
fi
echo
else
red "No vulnerabilities found in ${image}:${tag}."
green "No vulnerabilities found in ${image}:${tag}."
fi
}
......@@ -41,19 +54,20 @@ do
command -v "$tool" >/dev/null || die "$tool is missing."
done
red "Updating the vulnerability database."
blue "Updating the vulnerability database."
trivy image \
--config=/dev/null \
--download-db-only \
--no-progress \
--skip-version-check \
;
mkdir --parents output
for image in $(list_images)
do
for tag in $(list_tags "$image")
do
red "Scanning ${image}:${tag}."
blue "Scanning ${image}:${tag}."
scan "$image" "$tag"
done
done
......@@ -2,6 +2,7 @@
exit-code: 1
ignorefile: trivyignore.yaml
quiet: true
timeout: 1h
db:
no-progress: true
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment