colin
/
ntfy
1
0
Fork 0
Code Pull Requests Packages Activity

Update docker/trivy/start.sh

This commit is contained in:
colin 2024-01-20 21:16:53 +00:00
parent eaf9ef4009
commit 2e3fe96d53
1 changed files with 24 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
docker/trivy/start.sh
View File

@ -1,73 +1,36 @@
#!/bin/sh #!/bin/sh
TIMEOUT=${TIMEOUT:-120m} TIMEOUT=${TIMEOUT:-120m}
SCANNERS=${SCANNERS:-vuln,misconfig,secret} SCANNERS=("vuln" "config" "secret")
IGNORE_UNFIXED=${IGNORE_UNFIXED:-false} IGNORE_UNFIXED=${IGNORE_UNFIXED:-false}
LOW_PRIORITY=${LOW_PRIORITY:-true} LOW_PRIORITY=${LOW_PRIORITY:-true}
compare_scans() {
echo "Comparing scans..."
PREVIOUS_LOG="/log/previous_scan.log"
CURRENT_LOG="/log/trivy_scan.log"
SCAN_DATE=$(date +%Y.%m.%d)
DIFF_LOG="/log/scandiff.$SCAN_DATE.log"
# Check if CURRENT_LOG exists
if [ -f "$CURRENT_LOG" ]; then
if [ -f "$PREVIOUS_LOG" ]; then
echo "Previous scan log found. Comparing with current scan..."
if diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG; then
echo "No differences found between scans."
report_scan_results false
else
echo "Differences found. Check $DIFF_LOG for more details."
report_scan_results true
fi
else
echo "No previous scan log found. Treating all findings as new."
cp $CURRENT_LOG $DIFF_LOG || { echo "Failed to copy $CURRENT_LOG to $DIFF_LOG"; exit 1; }
report_scan_results true
fi
# Archive current log as previous for next run
cp $CURRENT_LOG $PREVIOUS_LOG || { echo "Failed to copy $CURRENT_LOG to $PREVIOUS_LOG"; exit 1; }
else
echo "Current scan log ($CURRENT_LOG) not found. No scan performed."
exit 1
fi
}
report_scan_results() {
is_diff=$1
DIFF_LOG="/log/scandiff.$(date +%Y.%m.%d).log"
if [ "$is_diff" = true ]; then
echo "Scan differences detected:"
if [ -f "$DIFF_LOG" ]; then
cat $DIFF_LOG
else
echo "Differences log file $DIFF_LOG not found."
fi
else
echo "No differences to report."
fi
}
run_scan() { run_scan() {
if [ "$LOW_PRIORITY" = "true" ]; then for SCANNER in "${SCANNERS[@]}"; do
echo "Running Trivy scan with low priority (nice 19)..." CURRENT_LOG="/log/trivy_scan_${SCANNER}.log"
nice -n 19 trivy filesystem --skip-update --config $CURRENT_LOG --timeout $TIMEOUT --scanners $SCANNERS $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt if [ "$LOW_PRIORITY" = "true" ]; then
else nice -n 19 trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
echo "Running Trivy scan..." else
trivy filesystem --skip-update --config $CURRENT_LOG --timeout $TIMEOUT --scanners $SCANNERS $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
fi fi
done
} }
# Archive existing log for comparison compare_scans() {
if [ -f "/log/trivy_scan.log" ]; then for SCANNER in "${SCANNERS[@]}"; do
mv /log/trivy_scan.log /log/previous_scan.log PREVIOUS_LOG="/log/previous_scan_${SCANNER}.log"
fi CURRENT_LOG="/log/trivy_scan_${SCANNER}.log"
SCAN_DATE=$(date +%Y.%m.%d)
DIFF_LOG="/log/scandiff_${SCANNER}_$SCAN_DATE.log"
if [ -f "$CURRENT_LOG" ]; then
if [ -f "$PREVIOUS_LOG" ]; then
diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG
fi
cp $CURRENT_LOG $PREVIOUS_LOG
fi
done
}
run_scan run_scan
compare_scans compare_scans