57 lines
1.5 KiB
Bash
Executable File
57 lines
1.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -Eeuo pipefail
|
|
|
|
GREEN='\033[0;32m'
|
|
RED='\033[0;31m'
|
|
YELLOW='\033[0;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
IMAGE=${1:-ploughshares:dev}
|
|
SEVERITY=${TRIVY_SEVERITY:-HIGH,CRITICAL}
|
|
EXIT_CODE=${TRIVY_EXIT_CODE:-1}
|
|
IGNORE_UNFIXED=${IGNORE_UNFIXED:-1}
|
|
TRIVY_TAG=${TRIVY_TAG:-latest}
|
|
|
|
echo -e "${BLUE}Scanning image ${IMAGE} with Trivy (severity: ${SEVERITY})${NC}"
|
|
echo "=================================================="
|
|
|
|
if ! command -v docker >/dev/null 2>&1; then
|
|
echo -e "${RED}Docker is required to run Trivy via container.${NC}"
|
|
exit 2
|
|
fi
|
|
|
|
TRIVY_ARGS=(image "${IMAGE}" --severity "${SEVERITY}" --exit-code "${EXIT_CODE}" --no-progress)
|
|
if [[ "${IGNORE_UNFIXED}" == "1" ]]; then
|
|
TRIVY_ARGS+=(--ignore-unfixed)
|
|
fi
|
|
|
|
if command -v trivy >/dev/null 2>&1; then
|
|
echo -e "${YELLOW}Using local trivy binary${NC}"
|
|
# shellcheck disable=SC2068
|
|
if trivy ${TRIVY_ARGS[@]}; then
|
|
echo -e "${GREEN}No ${SEVERITY} vulnerabilities found in ${IMAGE}.${NC}"
|
|
exit 0
|
|
else
|
|
echo -e "${RED}Vulnerabilities detected in ${IMAGE}.${NC}"
|
|
exit 1
|
|
fi
|
|
else
|
|
echo -e "${YELLOW}Local trivy not found; using Docker image aquasec/trivy:${TRIVY_TAG}${NC}"
|
|
# Use Dockerized trivy
|
|
# shellcheck disable=SC2068
|
|
if docker run --rm \
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
-e TRIVY_CACHE_DIR=/root/.cache/trivy \
|
|
aquasec/trivy:${TRIVY_TAG} ${TRIVY_ARGS[@]}; then
|
|
echo -e "${GREEN}No ${SEVERITY} vulnerabilities found in ${IMAGE}.${NC}"
|
|
exit 0
|
|
else
|
|
echo -e "${RED}Vulnerabilities detected in ${IMAGE}.${NC}"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
|