tests: add Trivy image scan script; ignore local .env

2025-08-27 19:30:31 -04:00 · 2025-08-27 19:30:31 -04:00 · 1c574d891c
parent 5d60f54f9c
commit 1c574d891c
2 changed files with 57 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.envn
--- a/test_trivy.sh
+++ b/test_trivy.sh
@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -Eeuo pipefail
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+IMAGE=${1:-ploughshares:dev}
+SEVERITY=${TRIVY_SEVERITY:-HIGH,CRITICAL}
+EXIT_CODE=${TRIVY_EXIT_CODE:-1}
+IGNORE_UNFIXED=${IGNORE_UNFIXED:-1}
+TRIVY_TAG=${TRIVY_TAG:-latest}
+
+echo -e "${BLUE}Scanning image ${IMAGE} with Trivy (severity: ${SEVERITY})${NC}"
+echo "=================================================="
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo -e "${RED}Docker is required to run Trivy via container.${NC}"
+  exit 2
+fi
+
+TRIVY_ARGS=(image "${IMAGE}" --severity "${SEVERITY}" --exit-code "${EXIT_CODE}" --no-progress)
+if [[ "${IGNORE_UNFIXED}" == "1" ]]; then
+  TRIVY_ARGS+=(--ignore-unfixed)
+fi
+
+if command -v trivy >/dev/null 2>&1; then
+  echo -e "${YELLOW}Using local trivy binary${NC}"
+  # shellcheck disable=SC2068
+  if trivy ${TRIVY_ARGS[@]}; then
+    echo -e "${GREEN}No ${SEVERITY} vulnerabilities found in ${IMAGE}.${NC}"
+    exit 0
+  else
+    echo -e "${RED}Vulnerabilities detected in ${IMAGE}.${NC}"
+    exit 1
+  fi
+else
+  echo -e "${YELLOW}Local trivy not found; using Docker image aquasec/trivy:${TRIVY_TAG}${NC}"
+  # Use Dockerized trivy
+  # shellcheck disable=SC2068
+  if docker run --rm \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -e TRIVY_CACHE_DIR=/root/.cache/trivy \
+    aquasec/trivy:${TRIVY_TAG} ${TRIVY_ARGS[@]}; then
+    echo -e "${GREEN}No ${SEVERITY} vulnerabilities found in ${IMAGE}.${NC}"
+    exit 0
+  else
+    echo -e "${RED}Vulnerabilities detected in ${IMAGE}.${NC}"
+    exit 1
+  fi
+fi
+
+