Loading .gitlab-ci.yml +6 −14 Original line number Diff line number Diff line Loading @@ -58,22 +58,14 @@ scan: - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan" stage: deploy tags: [ns4.shore.co.il] image: docker.io/docker:dind image: registry.shore.co.il/ci-images:docker before_script: - >- docker build --tag "${CI_PROJECT_NAME}:scan" --pull scan - apk add --update curl jq script: - mkdir --mode=777 output - >- docker run --env CI_JOB_URL --rm --volume "${PWD}/output:/output" "${CI_PROJECT_NAME}:scan" - cd scan - mkdir output - ./scan artifacts: paths: - output/*.log - scan/output/*.log timeout: 2h scan/.dockerignoredeleted 100644 → 0 +0 −3 Original line number Diff line number Diff line * !scan !*.yaml scan/Dockerfiledeleted 100644 → 0 +0 −15 Original line number Diff line number Diff line FROM registry.shore.co.il/ci-images:docker # hadolint ignore=DL3018 RUN apk add --update --no-cache \ curl \ jq \ && \ install -d -o root -g root -m 755 /etc/trivy && \ install -d -o root -g root -m 777 /output COPY --chown=root:root scan /usr/local/bin/ COPY --chown=root:root trivy*.yaml /etc/trivy/ VOLUME /output WORKDIR /etc/trivy CMD ["scan"] USER nobody ENV HOME /tmp scan/scan +18 −4 Original line number Diff line number Diff line Loading @@ -3,6 +3,19 @@ set -eu REGISTRY=registry.shore.co.il die() { echo "$@" >&2 exit 1 } blue () { printf '\e[1;94m%s\e[0m\n' "$@" >&2 } green () { printf '\e[1;92m%s\e[0m\n' "$@" >&2 } red () { printf '\e[1;91m%s\e[0m\n' "$@" >&2 } Loading @@ -22,7 +35,7 @@ scan () { local tag image="$1" tag="$2" if ! trivy image --output="/output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}" if ! trivy image --output="output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}" then if [ -z "${CI_JOB_URL:-}" ] then Loading @@ -32,7 +45,7 @@ scan () { fi echo else red "No vulnerabilities found in ${image}:${tag}." green "No vulnerabilities found in ${image}:${tag}." fi } Loading @@ -41,19 +54,20 @@ do command -v "$tool" >/dev/null || die "$tool is missing." done red "Updating the vulnerability database." blue "Updating the vulnerability database." trivy image \ --config=/dev/null \ --download-db-only \ --no-progress \ --skip-version-check \ ; mkdir --parents output for image in $(list_images) do for tag in $(list_tags "$image") do red "Scanning ${image}:${tag}." blue "Scanning ${image}:${tag}." scan "$image" "$tag" done done scan/trivy.yaml +1 −0 Original line number Diff line number Diff line Loading @@ -2,6 +2,7 @@ exit-code: 1 ignorefile: trivyignore.yaml quiet: true timeout: 1h db: no-progress: true Loading Loading
.gitlab-ci.yml +6 −14 Original line number Diff line number Diff line Loading @@ -58,22 +58,14 @@ scan: - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan" stage: deploy tags: [ns4.shore.co.il] image: docker.io/docker:dind image: registry.shore.co.il/ci-images:docker before_script: - >- docker build --tag "${CI_PROJECT_NAME}:scan" --pull scan - apk add --update curl jq script: - mkdir --mode=777 output - >- docker run --env CI_JOB_URL --rm --volume "${PWD}/output:/output" "${CI_PROJECT_NAME}:scan" - cd scan - mkdir output - ./scan artifacts: paths: - output/*.log - scan/output/*.log timeout: 2h
scan/.dockerignoredeleted 100644 → 0 +0 −3 Original line number Diff line number Diff line * !scan !*.yaml
scan/Dockerfiledeleted 100644 → 0 +0 −15 Original line number Diff line number Diff line FROM registry.shore.co.il/ci-images:docker # hadolint ignore=DL3018 RUN apk add --update --no-cache \ curl \ jq \ && \ install -d -o root -g root -m 755 /etc/trivy && \ install -d -o root -g root -m 777 /output COPY --chown=root:root scan /usr/local/bin/ COPY --chown=root:root trivy*.yaml /etc/trivy/ VOLUME /output WORKDIR /etc/trivy CMD ["scan"] USER nobody ENV HOME /tmp
scan/scan +18 −4 Original line number Diff line number Diff line Loading @@ -3,6 +3,19 @@ set -eu REGISTRY=registry.shore.co.il die() { echo "$@" >&2 exit 1 } blue () { printf '\e[1;94m%s\e[0m\n' "$@" >&2 } green () { printf '\e[1;92m%s\e[0m\n' "$@" >&2 } red () { printf '\e[1;91m%s\e[0m\n' "$@" >&2 } Loading @@ -22,7 +35,7 @@ scan () { local tag image="$1" tag="$2" if ! trivy image --output="/output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}" if ! trivy image --output="output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}" then if [ -z "${CI_JOB_URL:-}" ] then Loading @@ -32,7 +45,7 @@ scan () { fi echo else red "No vulnerabilities found in ${image}:${tag}." green "No vulnerabilities found in ${image}:${tag}." fi } Loading @@ -41,19 +54,20 @@ do command -v "$tool" >/dev/null || die "$tool is missing." done red "Updating the vulnerability database." blue "Updating the vulnerability database." trivy image \ --config=/dev/null \ --download-db-only \ --no-progress \ --skip-version-check \ ; mkdir --parents output for image in $(list_images) do for tag in $(list_tags "$image") do red "Scanning ${image}:${tag}." blue "Scanning ${image}:${tag}." scan "$image" "$tag" done done
scan/trivy.yaml +1 −0 Original line number Diff line number Diff line Loading @@ -2,6 +2,7 @@ exit-code: 1 ignorefile: trivyignore.yaml quiet: true timeout: 1h db: no-progress: true Loading