65 lines
1.9 KiB
Bash
65 lines
1.9 KiB
Bash
#!/bin/sh
|
|
|
|
TIMEOUT=${TIMEOUT:-120m}
|
|
SCANNERS=${SCANNERS:-vuln,misconfig,secret}
|
|
IGNORE_UNFIXED=${IGNORE_UNFIXED:-false}
|
|
LOW_PRIORITY=${LOW_PRIORITY:-true}
|
|
|
|
compare_scans() {
|
|
echo "Comparing scans..."
|
|
PREVIOUS_LOG="/log/previous_scan.log"
|
|
CURRENT_LOG="/log/trivy_scan.log"
|
|
SCAN_DATE=$(date +%Y.%m.%d)
|
|
DIFF_LOG="/log/scandiff.$SCAN_DATE.log"
|
|
|
|
if [ -f "$PREVIOUS_LOG" ]; then
|
|
echo "Previous scan log found. Comparing with current scan..."
|
|
diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG
|
|
if [ $? -eq 0 ]; then
|
|
echo "No differences found between scans."
|
|
report_scan_results false
|
|
else
|
|
echo "Differences found. Check $DIFF_LOG for more details."
|
|
report_scan_results true
|
|
fi
|
|
else
|
|
echo "No previous scan log found. Treating all findings as new."
|
|
cp $CURRENT_LOG $DIFF_LOG
|
|
report_scan_results true
|
|
fi
|
|
|
|
|
|
# Archive current log as previous for next run
|
|
cp $CURRENT_LOG $PREVIOUS_LOG
|
|
}
|
|
|
|
report_scan_results() {
|
|
is_diff=$1
|
|
DIFF_LOG="/log/scandiff.$(date +%Y.%m.%d).log"
|
|
|
|
if [ "$is_diff" = true ]; then
|
|
echo "Scan differences detected:"
|
|
cat $DIFF_LOG
|
|
else
|
|
echo "No differences to report."
|
|
fi
|
|
}
|
|
|
|
run_scan() {
|
|
if [ "$LOW_PRIORITY" = "true" ]; then
|
|
echo "Running Trivy scan with low priority (nice 19)..."
|
|
nice -n 19 trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNERS $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
|
|
else
|
|
echo "Running Trivy scan..."
|
|
trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNERS $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
|
|
fi
|
|
}
|
|
|
|
# Archive existing log for comparison
|
|
if [ -f "/log/trivy_scan.log" ]; then
|
|
mv /log/trivy_scan.log /log/previous_scan.log
|
|
fi
|
|
|
|
run_scan
|
|
compare_scans
|