From 1c574d891ce3ef709dab3a38d7c07a0a99e82c47 Mon Sep 17 00:00:00 2001 From: colin Date: Wed, 27 Aug 2025 19:30:31 -0400 Subject: [PATCH] tests: add Trivy image scan script; ignore local .env --- .gitignore | 1 + test_trivy.sh | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 .gitignore create mode 100755 test_trivy.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..aa16e85 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.envn \ No newline at end of file diff --git a/test_trivy.sh b/test_trivy.sh new file mode 100755 index 0000000..e0f7b93 --- /dev/null +++ b/test_trivy.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +set -Eeuo pipefail + +GREEN='\033[0;32m' +RED='\033[0;31m' +YELLOW='\033[0;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +IMAGE=${1:-ploughshares:dev} +SEVERITY=${TRIVY_SEVERITY:-HIGH,CRITICAL} +EXIT_CODE=${TRIVY_EXIT_CODE:-1} +IGNORE_UNFIXED=${IGNORE_UNFIXED:-1} +TRIVY_TAG=${TRIVY_TAG:-latest} + +echo -e "${BLUE}Scanning image ${IMAGE} with Trivy (severity: ${SEVERITY})${NC}" +echo "==================================================" + +if ! command -v docker >/dev/null 2>&1; then + echo -e "${RED}Docker is required to run Trivy via container.${NC}" + exit 2 +fi + +TRIVY_ARGS=(image "${IMAGE}" --severity "${SEVERITY}" --exit-code "${EXIT_CODE}" --no-progress) +if [[ "${IGNORE_UNFIXED}" == "1" ]]; then + TRIVY_ARGS+=(--ignore-unfixed) +fi + +if command -v trivy >/dev/null 2>&1; then + echo -e "${YELLOW}Using local trivy binary${NC}" + # shellcheck disable=SC2068 + if trivy ${TRIVY_ARGS[@]}; then + echo -e "${GREEN}No ${SEVERITY} vulnerabilities found in ${IMAGE}.${NC}" + exit 0 + else + echo -e "${RED}Vulnerabilities detected in ${IMAGE}.${NC}" + exit 1 + fi +else + echo -e "${YELLOW}Local trivy not found; using Docker image aquasec/trivy:${TRIVY_TAG}${NC}" + # Use Dockerized trivy + # shellcheck disable=SC2068 + if docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -e TRIVY_CACHE_DIR=/root/.cache/trivy \ + aquasec/trivy:${TRIVY_TAG} ${TRIVY_ARGS[@]}; then + echo -e "${GREEN}No ${SEVERITY} vulnerabilities found in ${IMAGE}.${NC}" + exit 0 + else + echo -e "${RED}Vulnerabilities detected in ${IMAGE}.${NC}" + exit 1 + fi +fi + +