From b48ea205da9dc358641e5608d2b84b9a3b835e99 Mon Sep 17 00:00:00 2001 From: Adar Nimrod Date: Sat, 21 Jun 2025 19:43:52 +0300 Subject: [PATCH] fixup! scan: Scan images daily for vulnerabilities. --- .gitlab-ci.yml | 20 ++++++-------------- scan/.dockerignore | 3 --- scan/Dockerfile | 15 --------------- scan/scan | 22 ++++++++++++++++++---- scan/trivy.yaml | 1 + 5 files changed, 25 insertions(+), 36 deletions(-) delete mode 100644 scan/.dockerignore delete mode 100644 scan/Dockerfile diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cb44650..2a7f0ee 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -58,22 +58,14 @@ scan: - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "Scan" stage: deploy tags: [ns4.shore.co.il] - image: docker.io/docker:dind + image: registry.shore.co.il/ci-images:docker before_script: - - >- - docker build - --tag "${CI_PROJECT_NAME}:scan" - --pull - scan + - apk add --update curl jq script: - - mkdir --mode=777 output - - >- - docker run - --env CI_JOB_URL - --rm - --volume "${PWD}/output:/output" - "${CI_PROJECT_NAME}:scan" + - cd scan + - mkdir output + - ./scan artifacts: paths: - - output/*.log + - scan/output/*.log timeout: 2h diff --git a/scan/.dockerignore b/scan/.dockerignore deleted file mode 100644 index 0e9700f..0000000 --- a/scan/.dockerignore +++ /dev/null @@ -1,3 +0,0 @@ -* -!scan -!*.yaml diff --git a/scan/Dockerfile b/scan/Dockerfile deleted file mode 100644 index c089b57..0000000 --- a/scan/Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -FROM registry.shore.co.il/ci-images:docker -# hadolint ignore=DL3018 -RUN apk add --update --no-cache \ - curl \ - jq \ - && \ - install -d -o root -g root -m 755 /etc/trivy && \ - install -d -o root -g root -m 777 /output -COPY --chown=root:root scan /usr/local/bin/ -COPY --chown=root:root trivy*.yaml /etc/trivy/ -VOLUME /output -WORKDIR /etc/trivy -CMD ["scan"] -USER nobody -ENV HOME /tmp diff --git a/scan/scan b/scan/scan index 5885ce3..db2886f 100755 --- a/scan/scan +++ b/scan/scan @@ -3,6 +3,19 @@ set -eu REGISTRY=registry.shore.co.il +die() { + echo "$@" >&2 + exit 1 +} + +blue () { + printf '\e[1;94m%s\e[0m\n' "$@" >&2 +} + +green () { + printf '\e[1;92m%s\e[0m\n' "$@" >&2 +} + red () { printf '\e[1;91m%s\e[0m\n' "$@" >&2 } @@ -22,7 +35,7 @@ scan () { local tag image="$1" tag="$2" - if ! trivy image --output="/output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}" + if ! trivy image --output="output/${image}:${tag}.log" "${REGISTRY}/${image}:${tag}" then if [ -z "${CI_JOB_URL:-}" ] then @@ -32,7 +45,7 @@ scan () { fi echo else - red "No vulnerabilities found in ${image}:${tag}." + green "No vulnerabilities found in ${image}:${tag}." fi } @@ -41,19 +54,20 @@ do command -v "$tool" >/dev/null || die "$tool is missing." done -red "Updating the vulnerability database." +blue "Updating the vulnerability database." trivy image \ --config=/dev/null \ --download-db-only \ --no-progress \ --skip-version-check \ ; +mkdir --parents output for image in $(list_images) do for tag in $(list_tags "$image") do - red "Scanning ${image}:${tag}." + blue "Scanning ${image}:${tag}." scan "$image" "$tag" done done diff --git a/scan/trivy.yaml b/scan/trivy.yaml index 8e7acc4..03ee123 100644 --- a/scan/trivy.yaml +++ b/scan/trivy.yaml @@ -2,6 +2,7 @@ exit-code: 1 ignorefile: trivyignore.yaml quiet: true +timeout: 1h db: no-progress: true -- GitLab